drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-05-01 19:32:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

..

27 Commits
v70.6 ... master

Author SHA1 Message Date
bol-van
d21175b4a3 nfqws: prepare for +- autottl 2025-04-29 17:45:34 +03:00
bol-van
68a538daed nfqws: conntrack: do not reset entry on dup SA 2025-04-29 16:31:37 +03:00
bol-van
d2c9ff50cd nfqws: copy DF ip flag 2025-04-29 13:36:05 +03:00
bol-van
50539d6cbf nfqws: windows fixes for recent changes 2025-04-29 12:25:23 +03:00
bol-van
8b5dfcfae1 nfqws: dup,orig_mod 2025-04-26 19:48:35 +03:00
bol-van
ccc60b5f07 init.d: fix missing - sign in 50-nfqws-ipset 2025-04-22 19:28:14 +03:00
bol-van
7f94f42b1d init.d: fix local var name 2025-04-22 19:07:26 +03:00
bol-van
1c1f259b39 init.d: improve nfqws ipset example 2025-04-22 19:03:18 +03:00
bol-van
6ef6c8ee5a nfqws: do not use overlapping memcmp 2025-04-21 15:54:06 +03:00
bol-van
581badfb73 nfqws: --dpi-desync-fake-tls=! 2025-04-21 14:52:51 +03:00
bol-van
8fce75daa4 hardware offload: be closer to fw4 in interface names 2025-04-20 11:26:07 +03:00
bol-van
c1e2e56576 hardware offload: be closer to fw4 in interface names 2025-04-20 11:24:55 +03:00
bol-van
e16ec69922 nfqws: fix unitialized use of host buffer (udp) 2025-04-20 08:49:50 +03:00
bol-van
63256a142f nfqws: fix unitialized use of host buffer 2025-04-19 19:59:42 +03:00
bol-van
4a9a8bd48e typo 2025-04-19 19:41:40 +03:00
bol-van
b996abd5ce nfqws,tpws: use tls record length in TLSDebug 2025-04-14 12:18:07 +03:00
bol-van
12461de3b0 nfqws,tpws: optimize tls debug, show quic 2025-04-14 11:21:16 +03:00
bol-van
7dab497b57 nfqws,tpws: optimize tls debug, show quic 2025-04-14 11:20:20 +03:00
bol-van
41dbba1c4c nfqws,tpws: debug alpn and ech 2025-04-13 18:07:46 +03:00
bol-van
d19f6c19a4 nfqws,tpws: debug tls version 2025-04-13 15:27:50 +03:00
bol-van
b12b1a5a17 winws build fix 2025-04-08 17:33:14 +03:00
bol-van
8022e2576d nfqws: BSD/clang build fix 2025-04-08 17:23:15 +03:00
bol-van
f4ea264ba9 minor var spelling fix 2025-04-08 17:02:33 +03:00
bol-van
061acb27e4
Merge pull request from tie/master 
use enum for option indices
 2025-04-08 17:00:53 +03:00
Ivan Trubach
8eb830d304 use enum for option indices 2025-04-08 16:56:17 +03:00
bol-van
2fb93c6add blockcheck: test tpws exists 2025-04-08 16:17:40 +03:00
bol-van
ad5c246629 blockcheck: test whether tpws supports fix-seg 2025-04-08 16:15:06 +03:00
26 changed files with 1822 additions and 783 deletions

15
blockcheck.sh

@ -341,6 +341,12 @@ netcat_test()
}
}
tpws_can_fix_seg()
{
# fix-seg requires kernel 4.6+
"$TPWS" --port 1 --dry-run --fix-seg >/dev/null 2>/dev/null
}
check_system()
{
echo \* checking system
@ -355,7 +361,14 @@ check_system()
Linux)
PKTWS="$NFQWS"
PKTWSD=nfqws
FIX_SEG='--fix-seg'
if [ -x "$TPWS" ] ; then
if tpws_can_fix_seg ; then
echo tpws supports --fix-seg on this system
FIX_SEG='--fix-seg'
else
echo tpws does not support --fix-seg on this system
fi
fi
linux_fwtype
[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
echo firewall type $FWTYPE not supported in $UNAME

8
common/linux_iphelper.sh

@ -111,6 +111,14 @@ unprepare_route_localnet()
set_route_localnet 0 "$@"
}
get_uevent_devtype()
{
local DEVTYPE INTERFACE IFINDEX OF_NAME OF_FULLNAME OF_COMPATIBLE_N
[ -f "/sys/class/net/$1/uevent" ] && {
. "/sys/class/net/$1/uevent"
echo -n $DEVTYPE
}
}
resolve_lower_devices()
{
# $1 - bridge interface name

11
common/nft.sh

@ -320,7 +320,7 @@ nft_fill_ifsets()
# $5 - space separated wan physical interface names (optional)
# $6 - space separated wan6 physical interface names (optional)
local script i j ALLDEVS devs
local script i j ALLDEVS devs b
# if large sets exist nft works very ineffectively
# looks like it analyzes the whole table blob to find required data pieces
@ -348,15 +348,18 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
nft_create_or_update_flowtable 'offload' 2>/dev/null
# then add elements. some of them can cause error because unsupported
for i in $ALLDEVS; do
# first try to add interface itself
nft_create_or_update_flowtable 'offload' $i 2>/dev/null
# bridge members must be added instead of the bridge itself
# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
b=
devs=$(resolve_lower_devices $i)
for j in $devs; do
# do not display error if addition failed
nft_create_or_update_flowtable 'offload' $j 2>/dev/null
nft_create_or_update_flowtable 'offload' $j && b=1 2>/dev/null
done
[ -n "$b" ] || {
# no lower devices added ? try to add interface itself
nft_create_or_update_flowtable 'offload' $i 2>/dev/null
}
done
;;
esac

5
docs/changes.txt

@ -481,3 +481,8 @@ nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SN
nfqws: multiple mods for multiple TLS fakes
init.d: remove 50-discord
blockcheck: use tpws --fix-seg on linux for multiple splits
v70.7
nfqws,tpws: debug tls version, alpn, ech
nfqws: --dpi-desync-fake-tls=! means default tls fake

4
docs/readme.en.md

@ -1,4 +1,4 @@
# zapret v70.6
# zapret v70.7
# SCAMMER WARNING
@ -173,7 +173,7 @@ nfqws takes the following parameters:
--dpi-desync-badack-increment=<int|0xHEX> ; badseq fooling ackseq signed increment. default -66000
--dpi-desync-any-protocol=0|1 ; 0(default)=desync only http and tls 1=desync any nonempty data packet
--dpi-desync-fake-http=<filename>|0xHEX ; file containing fake http request
--dpi-desync-fake-tls=<filename>|0xHEX ; file containing fake TLS ClientHello (for https)
--dpi-desync-fake-tls=<filename>|0xHEX|! ; file containing fake TLS ClientHello (for https). '!' = standard fake
--dpi-desync-fake-tls-mod=mod[,mod] ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,sni=<sni>,dupsid,padencap
--dpi-desync-fake-unknown=<filename>|0xHEX ; file containing unknown protocol fake payload
--dpi-desync-fake-syndata=<filename>|0xHEX ; file containing SYN data payload

4
docs/readme.md

@ -1,4 +1,4 @@
# zapret v70.6
# zapret v70.7
# ВНИМАНИЕ, остерегайтесь мошенников
@ -195,7 +195,7 @@ dvtws, собираемый из тех же исходников (см. [док
--dpi-desync-badack-increment=<int|0xHEX> ; инкремент ack sequence number для badseq. по умолчанию -66000
--dpi-desync-any-protocol=0|1 ; 0(default)=работать только по http request и tls clienthello 1=по всем непустым пакетам данных
--dpi-desync-fake-http=<filename>|0xHEX ; файл, содержащий фейковый http запрос для dpi-desync=fake, на замену стандартному www.iana.org
--dpi-desync-fake-tls=<filename>|0xHEX ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному
--dpi-desync-fake-tls=<filename>|0xHEX|! ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному. '!' = стандартный фейк
--dpi-desync-fake-tls-mod=mod[,mod] ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,sni=<sni>,dupsid,padencap
--dpi-desync-fake-unknown=<filename>|0xHEX ; файл, содержащий фейковый пейлоад неизвестного протокола для dpi-desync=fake, на замену стандартным нулям 256 байт
--dpi-desync-fake-syndata=<filename>|0xHEX ; файл, содержащий фейковый пейлоад пакета SYN для режима десинхронизации syndata

142
init.d/custom.d.examples.linux/50-nfqws-ipset

@ -1,19 +1,29 @@
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
# this custom script demonstrates how to launch extra nfqws instance limited by ipset
# can override in config :
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
NFQWS_MY1_OPT="${NFQWS_MY1_OPT:---filter-udp=* --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol --new --filter-tcp=* --dpi-desync=multisplit}"
NFQWS_MY1_SUBNETS4="${NFQWS_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
NFQWS_MY1_SUBNETS6="${NFQWS_MY1_SUBNETS6:-2a00:1450::/29}"
NFQWS_MY1_PORTS_TCP=${NFQWS_MY1_PORTS_TCP:-$NFQWS_PORTS_TCP}
NFQWS_MY1_PORTS_UDP=${NFQWS_MY1_PORTS_UDP:-$NFQWS_PORTS_UDP}
NFQWS_MY1_TCP_PKT_OUT=${NFQWS_MY1_TCP_PKT_OUT:-$NFQWS_TCP_PKT_OUT}
NFQWS_MY1_UDP_PKT_OUT=${NFQWS_MY1_UDP_PKT_OUT:-$NFQWS_UDP_PKT_OUT}
NFQWS_MY1_TCP_PKT_IN=${NFQWS_MY1_TCP_PKT_IN:-$NFQWS_TCP_PKT_IN}
NFQWS_MY1_UDP_PKT_IN=${NFQWS_MY1_UDP_PKT_IN:-$NFQWS_UDP_PKT_IN}
NFQWS_MY1_IPSET_SIZE=${NFQWS_MY1_IPSET_SIZE:-4096}
NFQWS_MY1_IPSET_OPT="${NFQWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $NFQWS_MY1_IPSET_SIZE}"
alloc_dnum DNUM_NFQWS_MY1
alloc_qnum QNUM_NFQWS_MY1
NFQWS_MY1_SET_NAME=my1nfqws4
NFQWS_MY1_NAME4=my1nfqws4
NFQWS_MY1_NAME6=my1nfqws6
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_MY1_OPT"
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
}
@ -21,54 +31,114 @@ zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f
local first_packets_only="$ipt_connbytes 1:3"
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
local subnet
local f4 f6 subnet
local NFQWS_MY1_PORTS_TCP=$(replace_char - : $NFQWS_MY1_PORTS_TCP)
local NFQWS_MY1_PORTS_UDP=$(replace_char - : $NFQWS_MY1_PORTS_UDP)
local DISABLE_IPV6=1
[ "$1" = 1 ] && {
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
ipset flush $NFQWS_MY1_SET_NAME
for subnet in $NFQWS_MY1_SUBNETS; do
echo add $NFQWS_MY1_SET_NAME $subnet
[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
ipset create $NFQWS_MY1_NAME4 $NFQWS_MY1_IPSET_OPT family inet 2>/dev/null
ipset flush $NFQWS_MY1_NAME4
for subnet in $NFQWS_MY1_SUBNETS4; do
echo add $NFQWS_MY1_NAME4 $subnet
done | ipset -! restore
}
[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
ipset create $NFQWS_MY1_NAME6 $NFQWS_MY1_IPSET_OPT family inet6 2>/dev/null
ipset flush $NFQWS_MY1_NAME6
for subnet in $NFQWS_MY1_SUBNETS6; do
echo add $NFQWS_MY1_NAME6 $subnet
done | ipset -! restore
}
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
f4="-p tcp -m multiport --dports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_OUT -m set --match-set"
f6="$f4 $NFQWS_MY1_NAME6 dst"
f4="$f4 $NFQWS_MY1_NAME4 dst"
fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
f4="-p tcp -m multiport --sports $NFQWS_MY1_PORTS_TCP $ipt_connbytes 1:$NFQWS_MY1_TCP_PKT_IN -m set --match-set"
f6="$f4 $NFQWS_MY1_NAME6 src"
f4="$f4 $NFQWS_MY1_NAME4 src"
fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
}
[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
f4="-p udp -m multiport --dports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_OUT -m set --match-set"
f6="$f4 $NFQWS_MY1_NAME6 dst"
f4="$f4 $NFQWS_MY1_NAME4 dst"
fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
f4="-p udp -m multiport --sports $NFQWS_MY1_PORTS_UDP $ipt_connbytes 1:$NFQWS_MY1_UDP_PKT_IN -m set --match-set"
f6="$f4 $NFQWS_MY1_NAME6 src"
f4="$f4 $NFQWS_MY1_NAME4 src"
fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
}
[ "$1" = 1 ] || {
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
ipset destroy $NFQWS_MY1_NAME4 2>/dev/null
ipset destroy $NFQWS_MY1_NAME6 2>/dev/null
}
}
zapret_custom_firewall_nft()
{
# stop logic is not required
local f4 f6 subnets
local first_packets_only="$nft_connbytes 1-$NFQWS_MY1_PKT_OUT"
local f
local first_packets_only="$nft_connbytes 1-3"
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
local subnets
[ "$DISABLE_IPV4" != 1 ] && {
make_comma_list subnets $NFQWS_MY1_SUBNETS4
nft_create_set $NFQWS_MY1_NAME4 "type ipv4_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
nft_flush_set $NFQWS_MY1_NAME4
nft_add_set_element $NFQWS_MY1_NAME4 "$subnets"
}
[ "$DISABLE_IPV6" != 1 ] && {
make_comma_list subnets $NFQWS_MY1_SUBNETS6
nft_create_set $NFQWS_MY1_NAME6 "type ipv6_addr; size $NFQWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
nft_flush_set $NFQWS_MY1_NAME6
nft_add_set_element $NFQWS_MY1_NAME6 "$subnets"
}
local DISABLE_IPV6=1
make_comma_list subnets $NFQWS_MY1_SUBNETS
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
nft_flush_set $NFQWS_MY1_SET_NAME
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
f="udp dport {$NFQWS_MY1_PORTS}"
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
[ -n "$NFQWS_MY1_PORTS_TCP" ] && {
[ -n "$NFQWS_MY1_TCP_PKT_OUT" -a "$NFQWS_MY1_TCP_PKT_OUT" != 0 ] && {
f4="tcp dport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_OUT)"
f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
[ -n "$NFQWS_MY1_TCP_PKT_IN" -a "$NFQWS_MY1_TCP_PKT_IN" != 0 ] && {
f4="tcp sport {$NFQWS_MY1_PORTS_TCP} $(nft_first_packets $NFQWS_MY1_TCP_PKT_IN)"
f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
}
[ -n "$NFQWS_MY1_PORTS_UDP" ] && {
[ -n "$NFQWS_MY1_UDP_PKT_OUT" -a "$NFQWS_MY1_UDP_PKT_OUT" != 0 ] && {
f4="udp dport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_OUT)"
f6="$f4 ip6 daddr @$NFQWS_MY1_NAME6"
f4="$f4 ip daddr @$NFQWS_MY1_NAME4"
nft_fw_nfqws_post $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
[ -n "$NFQWS_MY1_UDP_PKT_IN" -a "$NFQWS_MY1_UDP_PKT_IN" != 0 ] && {
f4="udp sport {$NFQWS_MY1_PORTS_UDP} $(nft_first_packets $NFQWS_MY1_UDP_PKT_IN)"
f6="$f4 ip6 saddr @$NFQWS_MY1_NAME6"
f4="$f4 ip saddr @$NFQWS_MY1_NAME4"
nft_fw_nfqws_pre $1 "$f4" "$f6" $QNUM_NFQWS_MY1
}
}
}
zapret_custom_firewall_nft_flush()
{
# this function is called after all nft fw rules are deleted
# however sets are not deleted. it's desired to clear sets here.
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
nft_del_set $NFQWS_MY1_NAME4 2>/dev/null
nft_del_set $NFQWS_MY1_NAME6 2>/dev/null
}

3
init.d/custom.d.examples.linux/50-tpws-ipset

@ -28,7 +28,6 @@ zapret_custom_firewall()
local f4 f6 subnet
local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
@ -58,7 +57,7 @@ zapret_custom_firewall()
zapret_custom_firewall_nft()
{
local f4 f6 subnet
local f4 f6 subnets
[ "$DISABLE_IPV4" != 1 ] && {
make_comma_list subnets $TPWS_MY1_SUBNETS4

2
init.d/systemd/nfqws@.service

@ -1,7 +1,7 @@
# Example systemd service unit for nfqws. Adjust for your installation.
# WARNING ! This unit requires to compile nfqws using `make systemd`
# WARNING ! This makefile target enabled special systemd notify support.
# WARNING ! This makefile target enables special systemd notify support.
# PREPARE
# install build depends

2
init.d/systemd/tpws@.service

@ -1,7 +1,7 @@
# Example systemd service unit for tpws. Adjust for your installation.
# WARNING ! This unit requires to compile tpws using `make systemd`
# WARNING ! This makefile target enabled special systemd notify support.
# WARNING ! This makefile target enables special systemd notify support.
# PREPARE
# install build depends

46
ip2net/ip2net.c

@ -225,6 +225,28 @@ static void exithelp(void)
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
enum opt_indices {
IDX_HELP,
IDX_H,
IDX_4,
IDX_6,
IDX_PREFIX_LENGTH,
IDX_V4_THRESHOLD,
IDX_V6_THRESHOLD,
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_H] = {"h", no_argument, 0, 0},
[IDX_4] = {"4", no_argument, 0, 0},
[IDX_6] = {"6", no_argument, 0, 0},
[IDX_PREFIX_LENGTH] = {"prefix-length", required_argument, 0, 0},
[IDX_V4_THRESHOLD] = {"v4-threshold", required_argument, 0, 0},
[IDX_V6_THRESHOLD] = {"v6-threshold", required_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
static void parse_params(int argc, char *argv[])
{
int option_index = 0;
@ -236,33 +258,23 @@ static void parse_params(int argc, char *argv[])
params.pctdiv = DEFAULT_PCTDIV;
params.v6_threshold = DEFAULT_V6_THRESHOLD;
const struct option long_options[] = {
{ "help",no_argument,0,0 },// optidx=0
{ "h",no_argument,0,0 },// optidx=1
{ "4",no_argument,0,0 },// optidx=2
{ "6",no_argument,0,0 },// optidx=3
{ "prefix-length",required_argument,0,0 },// optidx=4
{ "v4-threshold",required_argument,0,0 },// optidx=5
{ "v6-threshold",required_argument,0,0 },// optidx=6
{ NULL,0,NULL,0 }
};
while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
{
if (v) exithelp();
switch (option_index)
{
case 0:
case 1:
case IDX_HELP:
case IDX_H:
PRINT_VER;
exithelp();
break;
case 2:
case IDX_4:
params.ipv6 = false;
break;
case 3:
case IDX_6:
params.ipv6 = true;
break;
case 4:
case IDX_PREFIX_LENGTH:
i = sscanf(optarg,"%u-%u",&plen1,&plen2);
if (i == 1) plen2 = plen1;
if (i<=0 || plen2<plen1 || !plen1 || !plen2)
@ -271,7 +283,7 @@ static void parse_params(int argc, char *argv[])
exit(1);
}
break;
case 5:
case IDX_V4_THRESHOLD:
i = sscanf(optarg, "%u/%u", &params.pctmult, &params.pctdiv);
if (i!=2 || params.pctdiv<2 || params.pctmult<1 || params.pctmult>=params.pctdiv)
{
@ -279,7 +291,7 @@ static void parse_params(int argc, char *argv[])
exit(1);
}
break;
case 6:
case IDX_V6_THRESHOLD:
i = sscanf(optarg, "%u", &params.v6_threshold);
if (i != 1 || params.v6_threshold<1)
{

57
mdig/mdig.c

@ -467,25 +467,38 @@ static void exithelp(void)
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
enum opt_indices {
IDX_HELP,
IDX_THREADS,
IDX_FAMILY,
IDX_VERBOSE,
IDX_STATS,
IDX_LOG_RESOLVED,
IDX_LOG_FAILED,
IDX_DNS_MAKE_QUERY,
IDX_DNS_PARSE_QUERY,
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_THREADS] = {"threads", required_argument, 0, 0},
[IDX_FAMILY] = {"family", required_argument, 0, 0},
[IDX_VERBOSE] = {"verbose", no_argument, 0, 0},
[IDX_STATS] = {"stats", required_argument, 0, 0},
[IDX_LOG_RESOLVED] = {"log-resolved", required_argument, 0, 0},
[IDX_LOG_FAILED] = {"log-failed", required_argument, 0, 0},
[IDX_DNS_MAKE_QUERY] = {"dns-make-query", required_argument, 0, 0},
[IDX_DNS_PARSE_QUERY] = {"dns-parse-query", no_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
int main(int argc, char **argv)
{
int r, v, option_index = 0;
char fn1[256],fn2[256];
char dom[256];
static const struct option long_options[] = {
{"help",no_argument,0,0}, // optidx=0
{"threads",required_argument,0,0}, // optidx=1
{"family",required_argument,0,0}, // optidx=2
{"verbose",no_argument,0,0}, // optidx=3
{"stats",required_argument,0,0}, // optidx=4
{"log-resolved",required_argument,0,0}, // optidx=5
{"log-failed",required_argument,0,0}, // optidx=6
{"dns-make-query",required_argument,0,0}, // optidx=7
{"dns-parse-query",no_argument,0,0}, // optidx=8
{NULL,0,NULL,0}
};
memset(&glob, 0, sizeof(glob));
*fn1 = *fn2 = *dom = 0;
glob.family = FAMILY4;
@ -495,11 +508,11 @@ int main(int argc, char **argv)
if (v) exithelp();
switch (option_index)
{
case 0: /* help */
case IDX_HELP:
PRINT_VER;
exithelp();
break;
case 1: /* threads */
case IDX_THREADS:
glob.threads = optarg ? atoi(optarg) : 0;
if (glob.threads <= 0 || glob.threads > 100)
{
@ -507,7 +520,7 @@ int main(int argc, char **argv)
return 1;
}
break;
case 2: /* family */
case IDX_FAMILY:
if (!strcmp(optarg, "4"))
glob.family = FAMILY4;
else if (!strcmp(optarg, "6"))
@ -520,25 +533,25 @@ int main(int argc, char **argv)
return 1;
}
break;
case 3: /* verbose */
case IDX_VERBOSE:
glob.verbose = '\1';
break;
case 4: /* stats */
case IDX_STATS:
glob.stats_every = optarg ? atoi(optarg) : 0;
break;
case 5: /* log-resolved */
case IDX_LOG_RESOLVED:
strncpy(fn1,optarg,sizeof(fn1));
fn1[sizeof(fn1)-1] = 0;
break;
case 6: /* log-failed */
case IDX_LOG_FAILED:
strncpy(fn2,optarg,sizeof(fn2));
fn2[sizeof(fn2)-1] = 0;
break;
case 7: /* dns-make-query */
case IDX_DNS_MAKE_QUERY:
strncpy(dom,optarg,sizeof(dom));
dom[sizeof(dom)-1] = 0;
break;
case 8: /* dns-parse-query */
case IDX_DNS_PARSE_QUERY:
return dns_parse_query();
}
}

11
nfq/conntrack.c

@ -143,8 +143,11 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
}
else if (tcp_synack_segment(tcphdr))
{
if (t->state!=SYN) ConntrackReInitTrack(t); // erase current entry
if (!t->seq0) t->seq0 = ntohl(tcphdr->th_ack)-1;
// ignore SA dups
uint32_t seq0 = ntohl(tcphdr->th_ack)-1;
if (t->state!=SYN && t->seq0!=seq0)
ConntrackReInitTrack(t); // erase current entry
if (!t->seq0) t->seq0 = seq0;
t->ack0 = ntohl(tcphdr->th_seq);
}
else if (tcphdr->th_flags & (TH_FIN|TH_RST))
@ -338,8 +341,8 @@ void ConntrackPoolDump(const t_conntrack *p)
printf("rseq=%u pos_orig=%u rack=%u pos_reply=%u",
t->track.seq_last, t->track.pos_orig,
t->track.ack_last, t->track.pos_reply);
printf(" req_retrans=%u cutoff=%u wss_cutoff=%u d_cutoff=%u hostname=%s l7proto=%s\n",
t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_wssize_cutoff, t->track.b_desync_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
printf(" req_retrans=%u cutoff=%u wss_cutoff=%u desync_cutoff=%u dup_cutoff=%u orig_cutoff=%u hostname=%s l7proto=%s\n",
t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_wssize_cutoff, t->track.b_desync_cutoff, t->track.b_dup_cutoff, t->track.b_orig_mod_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
};
}

2
nfq/conntrack.h

@ -80,7 +80,7 @@ typedef struct
uint8_t incoming_ttl, autottl;
bool b_cutoff; // mark for deletion
bool b_wssize_cutoff, b_desync_cutoff;
bool b_wssize_cutoff, b_desync_cutoff, b_dup_cutoff, b_orig_mod_cutoff;
t_l7proto l7proto;
bool l7proto_discovered;

139
nfq/darkmagic.c

@ -38,6 +38,11 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment)
return htons(ntohs(netorder_value)+cpuorder_increment);
}
bool ip_has_df(const struct ip *ip)
{
return ip && !!(ntohs(ip->ip_off) & IP_DF);
}
uint8_t *tcp_find_option(struct tcphdr *tcp, uint8_t kind)
{
uint8_t *t = (uint8_t*)(tcp+1);
@ -83,10 +88,22 @@ bool tcp_has_fastopen(const struct tcphdr *tcp)
opt = tcp_find_option((struct tcphdr*)tcp, 254);
return opt && opt[1]>=4 && opt[2]==0xF9 && opt[3]==0x89;
}
uint16_t tcp_find_mss(struct tcphdr *tcp)
{
uint8_t *t = tcp_find_option(tcp,2);
return (t && t[1]==4) ? *(uint16_t*)(t+2) : 0;
}
bool tcp_has_sack(struct tcphdr *tcp)
{
uint8_t *t = tcp_find_option(tcp,4);
return !!t;
}
// n prefix (nsport, nwsize) means network byte order
static void fill_tcphdr(
struct tcphdr *tcp, uint32_t fooling, uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nsport, uint16_t ndport,
uint16_t nwsize, uint8_t scale_factor,
@ -111,20 +128,32 @@ static void fill_tcphdr(
tcp->th_seq = nseq;
tcp->th_ack = nack_seq;
}
tcp->th_off = 5;
tcp->th_off = 5;
if ((fooling & FOOL_DATANOACK) && !(tcp_flags & (TH_SYN|TH_RST)) && data_len)
tcp_flags &= ~TH_ACK;
*((uint8_t*)tcp+13)= tcp_flags;
tcp->th_win = nwsize;
if (nmss)
{
tcpopt[t++] = 2; // kind
tcpopt[t++] = 4; // len
*(uint16_t*)(tcpopt+t) = nmss;
t+=2;
}
if (sack)
{
tcpopt[t++] = 4; // kind
tcpopt[t++] = 2; // len
}
if (fooling & FOOL_MD5SIG)
{
tcpopt[0] = 19; // kind
tcpopt[1] = 18; // len
*(uint32_t*)(tcpopt+2)=random();
*(uint32_t*)(tcpopt+6)=random();
*(uint32_t*)(tcpopt+10)=random();
*(uint32_t*)(tcpopt+14)=random();
t=18;
tcpopt[t] = 19; // kind
tcpopt[t+1] = 18; // len
*(uint32_t*)(tcpopt+t+2)=random();
*(uint32_t*)(tcpopt+t+6)=random();
*(uint32_t*)(tcpopt+t+10)=random();
*(uint32_t*)(tcpopt+t+14)=random();
t+=18;
}
if (timestamps || (fooling & FOOL_TS))
{
@ -145,10 +174,12 @@ static void fill_tcphdr(
tcp->th_off += t>>2;
tcp->th_sum = 0;
}
static uint16_t tcpopt_len(uint32_t fooling, const uint32_t *timestamps, uint8_t scale_factor)
static uint16_t tcpopt_len(bool sack, bool mss, uint32_t fooling, const uint32_t *timestamps, uint8_t scale_factor)
{
uint16_t t=0;
if (fooling & FOOL_MD5SIG) t=18;
if (sack) t+=2;
if (mss) t+=4;
if (fooling & FOOL_MD5SIG) t+=18;
if ((fooling & FOOL_TS) || timestamps) t+=10;
if (scale_factor!=SCALE_NONE) t+=3;
return (t+3)&~3;
@ -163,11 +194,11 @@ static void fill_udphdr(struct udphdr *udp, uint16_t nsport, uint16_t ndport, ui
udp->uh_sum = 0;
}
static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, uint8_t ttl, uint8_t tos, uint16_t ip_id)
static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, bool DF, uint8_t ttl, uint8_t tos, uint16_t ip_id)
{
ip->ip_tos = tos;
ip->ip_sum = 0;
ip->ip_off = 0;
ip->ip_off = DF ? htons(IP_DF) : 0;
ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_len = htons(pktlen);
@ -190,10 +221,13 @@ static void fill_ip6hdr(struct ip6_hdr *ip6, const struct in6_addr *src, const s
bool prepare_tcp_segment4(
const struct sockaddr_in *src, const struct sockaddr_in *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
uint32_t *timestamps,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -203,7 +237,7 @@ bool prepare_tcp_segment4(
const void *data, uint16_t len,
uint8_t *buf, size_t *buflen)
{
uint16_t tcpoptlen = tcpopt_len(fooling,timestamps,scale_factor);
uint16_t tcpoptlen = tcpopt_len(sack,!!nmss,fooling,timestamps,scale_factor);
uint16_t ip_payload_len = sizeof(struct tcphdr) + tcpoptlen + len;
uint16_t pktlen = sizeof(struct ip) + ip_payload_len;
if (pktlen>*buflen) return false;
@ -212,12 +246,12 @@ bool prepare_tcp_segment4(
struct tcphdr *tcp = (struct tcphdr*)(ip+1);
uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos, ip_id);
fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, DF, ttl, tos, ip_id);
fill_tcphdr(tcp,fooling,tcp_flags,sack,nmss,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
memcpy(payload,data,len);
tcp4_fix_checksum(tcp,ip_payload_len,&ip->ip_src,&ip->ip_dst);
if (fooling & FOOL_BADSUM) tcp->th_sum^=htons(0xBEAF);
if (fooling & FOOL_BADSUM) tcp->th_sum^=(uint16_t)(1+random()%0xFFFF);
*buflen = pktlen;
return true;
@ -226,6 +260,8 @@ bool prepare_tcp_segment4(
bool prepare_tcp_segment6(
const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
@ -238,7 +274,7 @@ bool prepare_tcp_segment6(
const void *data, uint16_t len,
uint8_t *buf, size_t *buflen)
{
uint16_t tcpoptlen = tcpopt_len(fooling,timestamps,scale_factor);
uint16_t tcpoptlen = tcpopt_len(sack,!!nmss,fooling,timestamps,scale_factor);
uint16_t transport_payload_len = sizeof(struct tcphdr) + tcpoptlen + len;
uint16_t ip_payload_len = transport_payload_len +
8*!!((fooling & (FOOL_HOPBYHOP|FOOL_HOPBYHOP2))==FOOL_HOPBYHOP) +
@ -297,11 +333,11 @@ bool prepare_tcp_segment6(
uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;
fill_ip6hdr(ip6, &src->sin6_addr, &dst->sin6_addr, ip_payload_len, proto, ttl, flow_label);
fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin6_port,dst->sin6_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
fill_tcphdr(tcp,fooling,tcp_flags,sack,nmss,nseq,nack_seq,src->sin6_port,dst->sin6_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
memcpy(payload,data,len);
tcp6_fix_checksum(tcp,transport_payload_len,&ip6->ip6_src,&ip6->ip6_dst);
if (fooling & FOOL_BADSUM) tcp->th_sum^=htons(0xBEAF);
if (fooling & FOOL_BADSUM) tcp->th_sum^=(1+random()%0xFFFF);
*buflen = pktlen;
return true;
@ -310,10 +346,13 @@ bool prepare_tcp_segment6(
bool prepare_tcp_segment(
const struct sockaddr *src, const struct sockaddr *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
uint32_t *timestamps,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -325,9 +364,9 @@ bool prepare_tcp_segment(
uint8_t *buf, size_t *buflen)
{
return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,sack,nmss,nseq,nack_seq,nwsize,scale_factor,timestamps,DF,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,sack,nmss,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
false;
}
@ -335,6 +374,7 @@ bool prepare_tcp_segment(
// padlen<0 means payload shrinking
bool prepare_udp_segment4(
const struct sockaddr_in *src, const struct sockaddr_in *dst,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -361,7 +401,7 @@ bool prepare_udp_segment4(
uint8_t *payload = (uint8_t*)(udp+1);
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, ttl, tos, ip_id);
fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, DF, ttl, tos, ip_id);
fill_udphdr(udp, src->sin_port, dst->sin_port, datalen);
memcpy(payload,data,len);
@ -370,7 +410,7 @@ bool prepare_udp_segment4(
else
memset(payload+len,0,padlen);
udp4_fix_checksum(udp,ip_payload_len,&ip->ip_src,&ip->ip_dst);
if (fooling & FOOL_BADSUM) udp->uh_sum^=htons(0xBEAF);
if (fooling & FOOL_BADSUM) udp->uh_sum^=(1+random()%0xFFFF);
*buflen = pktlen;
return true;
@ -459,13 +499,14 @@ bool prepare_udp_segment6(
else
memset(payload+len,0,padlen);
udp6_fix_checksum(udp,transport_payload_len,&ip6->ip6_src,&ip6->ip6_dst);
if (fooling & FOOL_BADSUM) udp->uh_sum^=htons(0xBEAF);
if (fooling & FOOL_BADSUM) udp->uh_sum^=(1+random()%0xFFFF);
*buflen = pktlen;
return true;
}
bool prepare_udp_segment(
const struct sockaddr *src, const struct sockaddr *dst,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -477,7 +518,7 @@ bool prepare_udp_segment(
uint8_t *buf, size_t *buflen)
{
return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,ttl,tos,ip_id,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,DF,ttl,tos,ip_id,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
prepare_udp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,ttl,flow_label,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
false;
@ -601,10 +642,29 @@ bool ip_frag(
return false;
}
void rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl)
bool rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl)
{
if (ip) ip->ip_ttl = ttl;
if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = ttl;
if (ttl)
{
if (ip)
{
if (ip->ip_ttl!=ttl)
{
ip->ip_ttl = ttl;
ip4_fix_checksum(ip);
return true;
}
}
else if (ip6)
{
if (ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim!=ttl)
{
ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = ttl;
return true;
}
}
}
return false;
}
@ -1777,6 +1837,7 @@ bool rawsend_queue(struct rawpacket_tailhead *q)
uint8_t autottl_guess(uint8_t ttl, const autottl *attl)
{
uint8_t orig, path, fake;
int d;
// 18.65.168.125 ( cloudfront ) 255
// 157.254.246.178 128
@ -1793,11 +1854,13 @@ uint8_t autottl_guess(uint8_t ttl, const autottl *attl)
path = orig - ttl;
fake = path > attl->delta ? path - attl->delta : attl->min;
if (fake<attl->min) fake=attl->min;
else if (fake>attl->max) fake=attl->max;
d = (int)path + attl->delta;
if (d<attl->min) fake=attl->min;
else if (d>attl->max) fake=attl->max;
else fake=(uint8_t)d;
if (fake>=path) return 0;
if (attl->delta<0 && fake>=path || attl->delta>=0 && fake<path)
return 0;
return fake;
}
@ -1849,15 +1912,15 @@ void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transpo
{
if (!(verdict & VERDICT_NOCSUM))
{
#ifdef __CYGWIN__
// always fix csum for windivert. original can be partial or bad
#ifndef __CYGWIN__
#ifdef __FreeBSD__
if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
#elif defined(__FreeBSD__)
// FreeBSD tend to pass ipv6 frames with wrong checksum
if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr)
#else
// if original packet was tampered earlier it needs checksum fixed
if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
#endif
#endif
tcp_fix_checksum(tcphdr,transport_len,ip,ip6hdr);
}
@ -1866,15 +1929,15 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo
{
if (!(verdict & VERDICT_NOCSUM))
{
#ifdef __CYGWIN__
// always fix csum for windivert. original can be partial or bad
#ifndef __CYGWIN__
#ifdef __FreeBSD__
if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
#elif defined(__FreeBSD__)
// FreeBSD tend to pass ipv6 frames with wrong checksum
if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr)
#else
// if original packet was tampered earlier it needs checksum fixed
if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
#endif
#endif
udp_fix_checksum(udphdr,transport_len,ip,ip6hdr);
}

23
nfq/darkmagic.h

@ -59,6 +59,7 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
#define VERDICT_DROP 2
#define VERDICT_MASK 3
#define VERDICT_NOCSUM 4
#define VERDICT_GARBAGE 8
#define IP4_TOS(ip_header) (ip_header ? ip_header->ip_tos : 0)
#define IP4_IP_ID(ip_header) (ip_header ? ip_header->ip_id : 0)
@ -68,10 +69,13 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
bool prepare_tcp_segment4(
const struct sockaddr_in *src, const struct sockaddr_in *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
uint32_t *timestamps,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -83,6 +87,8 @@ bool prepare_tcp_segment4(
bool prepare_tcp_segment6(
const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
@ -97,10 +103,13 @@ bool prepare_tcp_segment6(
bool prepare_tcp_segment(
const struct sockaddr *src, const struct sockaddr *dst,
uint8_t tcp_flags,
bool sack,
uint16_t nmss,
uint32_t nseq, uint32_t nack_seq,
uint16_t nwsize,
uint8_t scale_factor,
uint32_t *timestamps,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -114,6 +123,7 @@ bool prepare_tcp_segment(
bool prepare_udp_segment4(
const struct sockaddr_in *src, const struct sockaddr_in *dst,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -133,6 +143,7 @@ bool prepare_udp_segment6(
uint8_t *buf, size_t *buflen);
bool prepare_udp_segment(
const struct sockaddr *src, const struct sockaddr *dst,
bool DF,
uint8_t ttl,
uint8_t tos,
uint16_t ip_id,
@ -162,15 +173,20 @@ bool ip_frag(
uint8_t *pkt1, size_t *pkt1_size,
uint8_t *pkt2, size_t *pkt2_size);
void rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl);
bool rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl);
void extract_ports(const struct tcphdr *tcphdr, const struct udphdr *udphdr, uint8_t *proto, uint16_t *sport, uint16_t *dport);
void extract_endpoints(const struct ip *ip,const struct ip6_hdr *ip6hdr,const struct tcphdr *tcphdr,const struct udphdr *udphdr, struct sockaddr_storage *src, struct sockaddr_storage *dst);
uint8_t *tcp_find_option(struct tcphdr *tcp, uint8_t kind);
uint32_t *tcp_find_timestamps(struct tcphdr *tcp);
uint8_t tcp_find_scale_factor(const struct tcphdr *tcp);
uint16_t tcp_find_mss(struct tcphdr *tcp);
bool tcp_has_sack(struct tcphdr *tcp);
bool tcp_has_fastopen(const struct tcphdr *tcp);
bool ip_has_df(const struct ip *ip);
#ifdef __CYGWIN__
extern uint32_t w_win32_error;
@ -242,9 +258,10 @@ void tcp_rewrite_winsize(struct tcphdr *tcp, uint16_t winsize, uint8_t scale_fac
typedef struct
{
uint8_t delta, min, max;
int8_t delta;
uint8_t min, max;
} autottl;
#define AUTOTTL_DEFAULT_DELTA 1
#define AUTOTTL_DEFAULT_DELTA -1
#define AUTOTTL_DEFAULT_MIN 3
#define AUTOTTL_DEFAULT_MAX 20
#define AUTOTTL_ENABLED(a) (!!(a).delta)

702
nfq/desync.c

File diff suppressed because it is too large Load Diff

860
nfq/nfqws.c

File diff suppressed because it is too large Load Diff

17
nfq/params.c

@ -187,10 +187,10 @@ void dp_init(struct desync_profile *dp)
dp->desync_repeats = 1;
dp->fake_syndata_size = 16;
dp->wscale=-1; // default - dont change scale factor (client)
dp->desync_ttl6 = 0xFF; // unused
dp->desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
dp->desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = 'n'; // packet number by default
dp->desync_ttl6 = dp->dup_ttl6 = dp->orig_mod_ttl6 = 0xFF; // unused
dp->desync_badseq_increment = dp->dup_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
dp->desync_badseq_ack_increment = dp->dup_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = dp->dup_start_mode = dp->dup_cutoff_mode = dp->orig_mod_start_mode = dp->orig_mod_cutoff_mode = 'n'; // packet number by default
dp->udplen_increment = UDPLEN_INCREMENT_DEFAULT;
dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
@ -294,3 +294,12 @@ bool dp_list_have_autohostlist(struct desync_profile_list_head *head)
return true;
return false;
}
// check if we need empty outgoing ACK
bool dp_list_need_all_out(struct desync_profile_list_head *head)
{
struct desync_profile_list *dpl;
LIST_FOREACH(dpl, head, next)
if (dpl->dp.dup_repeats || PROFILE_HAS_ORIG_MOD(&dpl->dp))
return true;
return false;
}

20
nfq/params.h

@ -82,6 +82,18 @@ struct desync_profile
int split_count;
struct proto_pos seqovl;
char dup_start_mode, dup_cutoff_mode; // n - packets, d - data packets, s - relative sequence
bool dup_replace;
unsigned int dup_start, dup_cutoff;
unsigned int dup_repeats;
uint8_t dup_ttl, dup_ttl6;
uint32_t dup_fooling_mode;
uint32_t dup_badseq_increment, dup_badseq_ack_increment;
char orig_mod_start_mode, orig_mod_cutoff_mode; // n - packets, d - data packets, s - relative sequence
unsigned int orig_mod_start, orig_mod_cutoff;
uint8_t orig_mod_ttl, orig_mod_ttl6;
char desync_start_mode, desync_cutoff_mode; // n - packets, d - data packets, s - relative sequence
unsigned int desync_start, desync_cutoff;
uint8_t desync_ttl, desync_ttl6;
@ -114,9 +126,10 @@ struct desync_profile
hostfail_pool *hostlist_auto_fail_counters;
};
#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&dp->ips_collection) && !LIST_FIRST(&dp->ips_collection_exclude))
#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&dp->ips_collection) && ipset_collection_is_empty(&dp->ips_collection_exclude))
#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&dp->hl_collection) && hostlist_collection_is_empty(&dp->hl_collection_exclude))
#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude))
#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))
#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&(dp)->hl_collection) && hostlist_collection_is_empty(&(dp)->hl_collection_exclude))
#define PROFILE_HAS_ORIG_MOD(dp) ((dp)->orig_mod_ttl || (dp)->orig_mod_ttl6)
struct desync_profile_list {
struct desync_profile dp;
@ -127,6 +140,7 @@ struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
void dp_entry_destroy(struct desync_profile_list *entry);
void dp_list_destroy(struct desync_profile_list_head *head);
bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
bool dp_list_need_all_out(struct desync_profile_list_head *head);
void dp_init(struct desync_profile *dp);
bool dp_fake_defaults(struct desync_profile *dp);
void dp_clear(struct desync_profile *dp);

16
nfq/protocol.c

@ -345,6 +345,19 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
}
const char *TLSVersionStr(uint16_t tlsver)
{
switch(tlsver)
{
case 0x0301: return "TLS 1.0";
case 0x0302: return "TLS 1.1";
case 0x0303: return "TLS 1.2";
case 0x0304: return "TLS 1.3";
default:
// 0x0a0a, 0x1a1a, ..., 0xfafa
return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
}
}
uint16_t TLSRecordDataLen(const uint8_t *data)
{
@ -1015,7 +1028,8 @@ bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
return len==74 &&
data[0]==0 && data[1]==1 &&
data[2]==0 && data[3]==70 &&
data[8]==0 && memcmp(&data[8],&data[9],63)==0; // address is not set in requests
!memcmp(data+8,"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",64);
// address is not set in request
}
bool IsStunMessage(const uint8_t *data, size_t len)
{

1
nfq/protocol.h

@ -57,6 +57,7 @@ int HttpReplyCode(const uint8_t *data, size_t len);
// must be pre-checked by IsHttpReply
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
const char *TLSVersionStr(uint16_t tlsver);
uint16_t TLSRecordDataLen(const uint8_t *data);
size_t TLSRecordLen(const uint8_t *data);
bool IsTLSRecordFull(const uint8_t *data, size_t len);

14
tpws/protocol.c

@ -339,6 +339,20 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
const char *TLSVersionStr(uint16_t tlsver)
{
switch(tlsver)
{
case 0x0301: return "TLS 1.0";
case 0x0302: return "TLS 1.1";
case 0x0303: return "TLS 1.2";
case 0x0304: return "TLS 1.3";
default:
// 0x0a0a, 0x1a1a, ..., 0xfafa
return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
}
}
uint16_t TLSRecordDataLen(const uint8_t *data)
{
return pntoh16(data + 3);

1
tpws/protocol.h

@ -53,6 +53,7 @@ int HttpReplyCode(const uint8_t *data, size_t len);
// must be pre-checked by IsHttpReply
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
const char *TLSVersionStr(uint16_t tlsver);
uint16_t TLSRecordDataLen(const uint8_t *data);
size_t TLSRecordLen(const uint8_t *data);
bool IsTLSRecordFull(const uint8_t *data, size_t len);

76
tpws/tamper.c

@ -15,6 +15,81 @@ void packet_debug(const uint8_t *data, size_t sz)
hexdump_limited_dlog(data, sz, PKTDATA_MAXDUMP); VPRINT("\n");
}
static void TLSDebugHandshake(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<6) return;
const uint8_t *ext;
size_t len,len2;
uint16_t v_handshake=pntoh16(tls+4), v, v2;
VPRINT("TLS handshake version : %s\n",TLSVersionStr(v_handshake));
if (TLSFindExtInHandshake(tls,sz,43,&ext,&len,false))
{
if (len)
{
len2 = ext[0];
if (len2<len)
{
for(ext++,len2&=~1 ; len2 ; len2-=2,ext+=2)
{
v = pntoh16(ext);
VPRINT("TLS supported versions ext : %s\n",TLSVersionStr(v));
}
}
}
}
else
VPRINT("TLS supported versions ext : not present\n");
if (TLSFindExtInHandshake(tls,sz,16,&ext,&len,false))
{
if (len>=2)
{
len2 = pntoh16(ext);
if (len2<=(len-2))
{
char s[32];
for(ext+=2; len2 ;)
{
v = *ext; ext++; len2--;
if (v<=len2)
{
v2 = v<sizeof(s) ? v : sizeof(s)-1;
memcpy(s,ext,v2);
s[v2]=0;
VPRINT("TLS ALPN ext : %s\n",s);
len2-=v;
ext+=v;
}
else
break;
}
}
}
}
else
VPRINT("TLS ALPN ext : not present\n");
VPRINT("TLS ECH ext : %s\n",TLSFindExtInHandshake(tls,sz,65037,NULL,NULL,false) ? "present" : "not present");
}
static void TLSDebug(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<11) return;
VPRINT("TLS record layer version : %s\n",TLSVersionStr(pntoh16(tls+1)));
size_t reclen=TLSRecordLen(tls);
if (reclen<sz) sz=reclen; // correct len if it has more data than the first tls record has
TLSDebugHandshake(tls+5,sz-5);
}
static bool dp_match(struct desync_profile *dp, const struct sockaddr *dest, const char *hostname, t_l7proto l7proto)
{
bool bHostlistsEmpty;
@ -130,6 +205,7 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment,
{
VPRINT("Data block contains TLS ClientHello\n");
l7proto=TLS;
TLSDebug(segment,*size);
bHaveHost=TLSHelloExtractHost((uint8_t*)segment,*size,Host,sizeof(Host),false);
}
else

424
tpws/tpws.c

@ -610,6 +610,188 @@ static bool check_oob_disorder(const struct desync_profile *dp)
}
#endif
enum opt_indices {
IDX_HELP,
IDX_H,
IDX_BIND_ADDR,
IDX_BIND_IFACE4,
IDX_BIND_IFACE6,
IDX_BIND_LINKLOCAL,
IDX_BIND_WAIT_IFUP,
IDX_BIND_WAIT_IP,
IDX_BIND_WAIT_IP_LINKLOCAL,
IDX_BIND_WAIT_ONLY,
IDX_PORT,
IDX_DAEMON,
IDX_USER,
IDX_UID,
IDX_MAXCONN,
IDX_MAXFILES,
IDX_MAX_ORPHAN_TIME,
IDX_HOSTCASE,
IDX_HOSTSPELL,
IDX_HOSTDOT,
IDX_HOSTNOSPACE,
IDX_HOSTPAD,
IDX_DOMCASE,
IDX_SPLIT_HTTP_REQ,
IDX_SPLIT_TLS,
IDX_SPLIT_POS,
IDX_SPLIT_ANY_PROTOCOL,
IDX_DISORDER,
IDX_OOB,
IDX_OOB_DATA,
IDX_METHODSPACE,
IDX_METHODEOL,
IDX_HOSTTAB,
IDX_UNIXEOL,
IDX_TLSREC,
IDX_TLSREC_POS,
IDX_HOSTLIST,
IDX_HOSTLIST_DOMAINS,
IDX_HOSTLIST_EXCLUDE,
IDX_HOSTLIST_EXCLUDE_DOMAINS,
IDX_HOSTLIST_AUTO,
IDX_HOSTLIST_AUTO_FAIL_THRESHOLD,
IDX_HOSTLIST_AUTO_FAIL_TIME,
IDX_HOSTLIST_AUTO_DEBUG,
IDX_PIDFILE,
IDX_DEBUG,
IDX_DEBUG_LEVEL,
IDX_DRY_RUN,
IDX_VERSION,
IDX_COMMENT,
IDX_LOCAL_RCVBUF,
IDX_LOCAL_SNDBUF,
IDX_REMOTE_RCVBUF,
IDX_REMOTE_SNDBUF,
IDX_SOCKS,
IDX_NO_RESOLVE,
IDX_RESOLVER_THREADS,
IDX_SKIP_NODELAY,
IDX_TAMPER_START,
IDX_TAMPER_CUTOFF,
IDX_CONNECT_BIND_ADDR,
IDX_NEW,
IDX_SKIP,
IDX_FILTER_L3,
IDX_FILTER_TCP,
IDX_FILTER_L7,
IDX_IPSET,
IDX_IPSET_IP,
IDX_IPSET_EXCLUDE,
IDX_IPSET_EXCLUDE_IP,
#if defined(__FreeBSD__)
IDX_ENABLE_PF,
#elif defined(__APPLE__)
IDX_LOCAL_TCP_USER_TIMEOUT,
IDX_REMOTE_TCP_USER_TIMEOUT,
#elif defined(__linux__)
IDX_LOCAL_TCP_USER_TIMEOUT,
IDX_REMOTE_TCP_USER_TIMEOUT,
IDX_MSS,
IDX_FIX_SEG,
#ifdef SPLICE_PRESENT
IDX_NOSPLICE,
#endif
#endif
IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD, // ignored. for nfqws command line compatibility
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_H] = {"h", no_argument, 0, 0},
[IDX_BIND_ADDR] = {"bind-addr", required_argument, 0, 0},
[IDX_BIND_IFACE4] = {"bind-iface4", required_argument, 0, 0},
[IDX_BIND_IFACE6] = {"bind-iface6", required_argument, 0, 0},
[IDX_BIND_LINKLOCAL] = {"bind-linklocal", required_argument, 0, 0},
[IDX_BIND_WAIT_IFUP] = {"bind-wait-ifup", required_argument, 0, 0},
[IDX_BIND_WAIT_IP] = {"bind-wait-ip", required_argument, 0, 0},
[IDX_BIND_WAIT_IP_LINKLOCAL] = {"bind-wait-ip-linklocal", required_argument, 0, 0},
[IDX_BIND_WAIT_ONLY] = {"bind-wait-only", no_argument, 0, 0},
[IDX_PORT] = {"port", required_argument, 0, 0},
[IDX_DAEMON] = {"daemon", no_argument, 0, 0},
[IDX_USER] = {"user", required_argument, 0, 0},
[IDX_UID] = {"uid", required_argument, 0, 0},
[IDX_MAXCONN] = {"maxconn", required_argument, 0, 0},
[IDX_MAXFILES] = {"maxfiles", required_argument, 0, 0},
[IDX_MAX_ORPHAN_TIME] = {"max-orphan-time", required_argument, 0, 0},
[IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0},
[IDX_HOSTSPELL] = {"hostspell", required_argument, 0, 0},
[IDX_HOSTDOT] = {"hostdot", no_argument, 0, 0},
[IDX_HOSTNOSPACE] = {"hostnospace", no_argument, 0, 0},
[IDX_HOSTPAD] = {"hostpad", required_argument, 0, 0},
[IDX_DOMCASE] = {"domcase", no_argument, 0, 0},
[IDX_SPLIT_HTTP_REQ] = {"split-http-req", required_argument, 0, 0},
[IDX_SPLIT_TLS] = {"split-tls", required_argument, 0, 0},
[IDX_SPLIT_POS] = {"split-pos", required_argument, 0, 0},
[IDX_SPLIT_ANY_PROTOCOL] = {"split-any-protocol", optional_argument, 0, 0},
[IDX_DISORDER] = {"disorder", optional_argument, 0, 0},
[IDX_OOB] = {"oob", optional_argument, 0, 0},
[IDX_OOB_DATA] = {"oob-data", required_argument, 0, 0},
[IDX_METHODSPACE] = {"methodspace", no_argument, 0, 0},
[IDX_METHODEOL] = {"methodeol", no_argument, 0, 0},
[IDX_HOSTTAB] = {"hosttab", no_argument, 0, 0},
[IDX_UNIXEOL] = {"unixeol", no_argument, 0, 0},
[IDX_TLSREC] = {"tlsrec", required_argument, 0, 0},
[IDX_TLSREC_POS] = {"tlsrec-pos", required_argument, 0, 0},
[IDX_HOSTLIST] = {"hostlist", required_argument, 0, 0},
[IDX_HOSTLIST_DOMAINS] = {"hostlist-domains", required_argument, 0, 0},
[IDX_HOSTLIST_EXCLUDE] = {"hostlist-exclude", required_argument, 0, 0},
[IDX_HOSTLIST_EXCLUDE_DOMAINS] = {"hostlist-exclude-domains", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO] = {"hostlist-auto", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_FAIL_THRESHOLD] = {"hostlist-auto-fail-threshold", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_FAIL_TIME] = {"hostlist-auto-fail-time", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0},
[IDX_PIDFILE] = {"pidfile", required_argument, 0, 0},
[IDX_DEBUG] = {"debug", optional_argument, 0, 0},
[IDX_DEBUG_LEVEL] = {"debug-level", required_argument, 0, 0},
[IDX_DRY_RUN] = {"dry-run", no_argument, 0, 0},
[IDX_VERSION] = {"version", no_argument, 0, 0},
[IDX_COMMENT] = {"comment", optional_argument, 0, 0},
[IDX_LOCAL_RCVBUF] = {"local-rcvbuf", required_argument, 0, 0},
[IDX_LOCAL_SNDBUF] = {"local-sndbuf", required_argument, 0, 0},
[IDX_REMOTE_RCVBUF] = {"remote-rcvbuf", required_argument, 0, 0},
[IDX_REMOTE_SNDBUF] = {"remote-sndbuf", required_argument, 0, 0},
[IDX_SOCKS] = {"socks", no_argument, 0, 0},
[IDX_NO_RESOLVE] = {"no-resolve", no_argument, 0, 0},
[IDX_RESOLVER_THREADS] = {"resolver-threads", required_argument, 0, 0},
[IDX_SKIP_NODELAY] = {"skip-nodelay", no_argument, 0, 0},
[IDX_TAMPER_START] = {"tamper-start", required_argument, 0, 0},
[IDX_TAMPER_CUTOFF] = {"tamper-cutoff", required_argument, 0, 0},
[IDX_CONNECT_BIND_ADDR] = {"connect-bind-addr", required_argument, 0, 0},
[IDX_NEW] = {"new", no_argument, 0, 0},
[IDX_SKIP] = {"skip", no_argument, 0, 0},
[IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0},
[IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0},
[IDX_FILTER_L7] = {"filter-l7", required_argument, 0, 0},
[IDX_IPSET] = {"ipset", required_argument, 0, 0},
[IDX_IPSET_IP] = {"ipset-ip", required_argument, 0, 0},
[IDX_IPSET_EXCLUDE] = {"ipset-exclude", required_argument, 0, 0},
[IDX_IPSET_EXCLUDE_IP] = {"ipset-exclude-ip", required_argument, 0, 0},
#if defined(__FreeBSD__)
[IDX_ENABLE_PF] = {"enable-pf", no_argument, 0, 0},
#elif defined(__APPLE__)
[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
#elif defined(__linux__)
[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
[IDX_MSS] = {"mss", required_argument, 0, 0},
[IDX_FIX_SEG] = {"fix-seg", optional_argument, 0, 0},
#ifdef SPLICE_PRESENT
[IDX_NOSPLICE] = {"nosplice", no_argument, 0, 0},
#endif
#endif
[IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD] = {"hostlist-auto-retrans-threshold", optional_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
void parse_params(int argc, char *argv[])
{
int option_index = 0;
@ -664,96 +846,6 @@ void parse_params(int argc, char *argv[])
}
#endif
const struct option long_options[] = {
{ "help",no_argument,0,0 },// optidx=0
{ "h",no_argument,0,0 },// optidx=1
{ "bind-addr",required_argument,0,0 },// optidx=2
{ "bind-iface4",required_argument,0,0 },// optidx=3
{ "bind-iface6",required_argument,0,0 },// optidx=4
{ "bind-linklocal",required_argument,0,0 },// optidx=5
{ "bind-wait-ifup",required_argument,0,0 },// optidx=6
{ "bind-wait-ip",required_argument,0,0 },// optidx=7
{ "bind-wait-ip-linklocal",required_argument,0,0 },// optidx=8
{ "bind-wait-only",no_argument,0,0 },// optidx=9
{ "port",required_argument,0,0 },// optidx=10
{ "daemon",no_argument,0,0 },// optidx=11
{ "user",required_argument,0,0 },// optidx=12
{ "uid",required_argument,0,0 },// optidx=13
{ "maxconn",required_argument,0,0 },// optidx=14
{ "maxfiles",required_argument,0,0 },// optidx=15
{ "max-orphan-time",required_argument,0,0 },// optidx=16
{ "hostcase",no_argument,0,0 },// optidx=17
{ "hostspell",required_argument,0,0 },// optidx=18
{ "hostdot",no_argument,0,0 },// optidx=19
{ "hostnospace",no_argument,0,0 },// optidx=20
{ "hostpad",required_argument,0,0 },// optidx=21
{ "domcase",no_argument,0,0 },// optidx=22
{ "split-http-req",required_argument,0,0 },// optidx=23
{ "split-tls",required_argument,0,0 },// optidx=24
{ "split-pos",required_argument,0,0 },// optidx=25
{ "split-any-protocol",optional_argument,0,0},// optidx=26
{ "disorder",optional_argument,0,0 },// optidx=27
{ "oob",optional_argument,0,0 },// optidx=28
{ "oob-data",required_argument,0,0 },// optidx=29
{ "methodspace",no_argument,0,0 },// optidx=30
{ "methodeol",no_argument,0,0 },// optidx=31
{ "hosttab",no_argument,0,0 },// optidx=32
{ "unixeol",no_argument,0,0 },// optidx=33
{ "tlsrec",required_argument,0,0 },// optidx=34
{ "tlsrec-pos",required_argument,0,0 },// optidx=35
{ "hostlist",required_argument,0,0 },// optidx=36
{ "hostlist-domains",required_argument,0,0 },// optidx=37
{ "hostlist-exclude",required_argument,0,0 },// optidx=38
{ "hostlist-exclude-domains",required_argument,0,0 },// optidx=39
{ "hostlist-auto",required_argument,0,0}, // optidx=40
{ "hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=41
{ "hostlist-auto-fail-time",required_argument,0,0}, // optidx=42
{ "hostlist-auto-debug",required_argument,0,0}, // optidx=43
{ "pidfile",required_argument,0,0 },// optidx=44
{ "debug",optional_argument,0,0 },// optidx=45
{ "debug-level",required_argument,0,0 },// optidx=46
{ "dry-run",no_argument,0,0 },// optidx=47
{ "version",no_argument,0,0 },// optidx=48
{ "comment",optional_argument,0,0 },// optidx=49
{ "local-rcvbuf",required_argument,0,0 },// optidx=50
{ "local-sndbuf",required_argument,0,0 },// optidx=51
{ "remote-rcvbuf",required_argument,0,0 },// optidx=52
{ "remote-sndbuf",required_argument,0,0 },// optidx=53
{ "socks",no_argument,0,0 },// optidx=54
{ "no-resolve",no_argument,0,0 },// optidx=55
{ "resolver-threads",required_argument,0,0 },// optidx=56
{ "skip-nodelay",no_argument,0,0 },// optidx=57
{ "tamper-start",required_argument,0,0 },// optidx=58
{ "tamper-cutoff",required_argument,0,0 },// optidx=59
{ "connect-bind-addr",required_argument,0,0 },// optidx=60
{ "new",no_argument,0,0 }, // optidx=61
{ "skip",no_argument,0,0 }, // optidx=62
{ "filter-l3",required_argument,0,0 }, // optidx=63
{ "filter-tcp",required_argument,0,0 }, // optidx=64
{ "filter-l7",required_argument,0,0 }, // optidx=65
{ "ipset",required_argument,0,0 }, // optidx=66
{ "ipset-ip",required_argument,0,0 }, // optidx=67
{ "ipset-exclude",required_argument,0,0 }, // optidx=68
{ "ipset-exclude-ip",required_argument,0,0 }, // optidx=69
#if defined(__FreeBSD__)
{ "enable-pf",no_argument,0,0 },// optidx=69
#elif defined(__APPLE__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=79
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=71
#elif defined(__linux__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=70
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=71
{ "mss",required_argument,0,0 }, // optidx=72
{ "fix-seg",optional_argument,0,0 }, // optidx=73
#ifdef SPLICE_PRESENT
{ "nosplice",no_argument,0,0 }, // optidx=74
#endif
#endif
{ "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility
{ NULL,0,NULL,0 }
};
while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
{
if (v)
@ -765,11 +857,11 @@ void parse_params(int argc, char *argv[])
}
switch (option_index)
{
case 0:
case 1:
case IDX_HELP:
case IDX_H:
exithelp_clean();
break;
case 2: /* bind-addr */
case IDX_BIND_ADDR:
nextbind_clean();
{
char *p = strchr(optarg,'%');
@ -782,19 +874,19 @@ void parse_params(int argc, char *argv[])
}
params.binds[params.binds_last].bindaddr[sizeof(params.binds[params.binds_last].bindaddr) - 1] = 0;
break;
case 3: /* bind-iface4 */
case IDX_BIND_IFACE4:
nextbind_clean();
params.binds[params.binds_last].bind_if6=false;
strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
break;
case 4: /* bind-iface6 */
case IDX_BIND_IFACE6:
nextbind_clean();
params.binds[params.binds_last].bind_if6=true;
strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
break;
case 5: /* bind-linklocal */
case IDX_BIND_LINKLOCAL:
checkbind_clean();
params.binds[params.binds_last].bindll = true;
if (!strcmp(optarg, "no"))
@ -811,22 +903,22 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 6: /* bind-wait-ifup */
case IDX_BIND_WAIT_IFUP:
checkbind_clean();
params.binds[params.binds_last].bind_wait_ifup = atoi(optarg);
break;
case 7: /* bind-wait-ip */
case IDX_BIND_WAIT_IP:
checkbind_clean();
params.binds[params.binds_last].bind_wait_ip = atoi(optarg);
break;
case 8: /* bind-wait-ip-linklocal */
case IDX_BIND_WAIT_IP_LINKLOCAL:
checkbind_clean();
params.binds[params.binds_last].bind_wait_ip_ll = atoi(optarg);
break;
case 9: /* bind-wait-only */
case IDX_BIND_WAIT_ONLY:
params.bind_wait_only = true;
break;
case 10: /* port */
case IDX_PORT:
i = atoi(optarg);
if (i <= 0 || i > 65535)
{
@ -835,10 +927,10 @@ void parse_params(int argc, char *argv[])
}
params.port = (uint16_t)i;
break;
case 11: /* daemon */
case IDX_DAEMON:
params.daemon = true;
break;
case 12: /* user */
case IDX_USER:
{
struct passwd *pwd = getpwnam(optarg);
if (!pwd)
@ -851,7 +943,7 @@ void parse_params(int argc, char *argv[])
params.droproot = true;
break;
}
case 13: /* uid */
case IDX_UID:
params.gid=0x7FFFFFFF; // default git. drop gid=0
params.droproot = true;
if (sscanf(optarg,"%u:%u",&params.uid,&params.gid)<1)
@ -860,7 +952,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 14: /* maxconn */
case IDX_MAXCONN:
params.maxconn = atoi(optarg);
if (params.maxconn <= 0 || params.maxconn > 10000)
{
@ -868,7 +960,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 15: /* maxfiles */
case IDX_MAXFILES:
params.maxfiles = atoi(optarg);
if (params.maxfiles < 0)
{
@ -876,7 +968,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 16: /* max-orphan-time */
case IDX_MAX_ORPHAN_TIME:
params.max_orphan_time = atoi(optarg);
if (params.max_orphan_time < 0)
{
@ -884,11 +976,11 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 17: /* hostcase */
case IDX_HOSTCASE:
dp->hostcase = true;
params.tamper = true;
break;
case 18: /* hostspell */
case IDX_HOSTSPELL:
if (strlen(optarg) != 4)
{
DLOG_ERR("hostspell must be exactly 4 chars long\n");
@ -898,23 +990,23 @@ void parse_params(int argc, char *argv[])
memcpy(dp->hostspell, optarg, 4);
params.tamper = true;
break;
case 19: /* hostdot */
case IDX_HOSTDOT:
dp->hostdot = true;
params.tamper = true;
break;
case 20: /* hostnospace */
case IDX_HOSTNOSPACE:
dp->hostnospace = true;
params.tamper = true;
break;
case 21: /* hostpad */
case IDX_HOSTPAD:
dp->hostpad = atoi(optarg);
params.tamper = true;
break;
case 22: /* domcase */
case IDX_DOMCASE:
dp->domcase = true;
params.tamper = true;
break;
case 23: /* split-http-req */
case IDX_SPLIT_HTTP_REQ:
DLOG_CONDUP("WARNING ! --split-http-req is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
if (dp->split_count>=MAX_SPLITS)
{
@ -929,7 +1021,7 @@ void parse_params(int argc, char *argv[])
dp->split_count++;
params.tamper = true;
break;
case 24: /* split-tls */
case IDX_SPLIT_TLS:
// obsolete arg
DLOG_CONDUP("WARNING ! --split-tls is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
if (dp->split_count>=MAX_SPLITS)
@ -945,7 +1037,7 @@ void parse_params(int argc, char *argv[])
dp->split_count++;
params.tamper = true;
break;
case 25: /* split-pos */
case IDX_SPLIT_POS:
{
int ct;
if (!parse_split_pos_list(optarg,dp->splits+dp->split_count,MAX_SPLITS-dp->split_count,&ct))
@ -957,10 +1049,10 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 26: /* split-any-protocol */
case IDX_SPLIT_ANY_PROTOCOL:
dp->split_any_protocol = true;
break;
case 27: /* disorder */
case IDX_DISORDER:
if (optarg)
{
if (!strcmp(optarg,"http")) dp->disorder_http=true;
@ -981,7 +1073,7 @@ void parse_params(int argc, char *argv[])
}
#endif
break;
case 28: /* oob */
case IDX_OOB:
if (optarg)
{
if (!strcmp(optarg,"http")) dp->oob_http=true;
@ -1002,7 +1094,7 @@ void parse_params(int argc, char *argv[])
}
#endif
break;
case 29: /* oob-data */
case IDX_OOB_DATA:
{
size_t l = strlen(optarg);
unsigned int bt;
@ -1015,23 +1107,23 @@ void parse_params(int argc, char *argv[])
else dp->oob_byte = (uint8_t)bt;
}
break;
case 30: /* methodspace */
case IDX_METHODSPACE:
dp->methodspace = true;
params.tamper = true;
break;
case 31: /* methodeol */
case IDX_METHODEOL:
dp->methodeol = true;
params.tamper = true;
break;
case 32: /* hosttab */
case IDX_HOSTTAB:
dp->hosttab = true;
params.tamper = true;
break;
case 33: /* unixeol */
case IDX_UNIXEOL:
dp->unixeol = true;
params.tamper = true;
break;
case 34: /* tlsrec */
case IDX_TLSREC:
if (!parse_split_pos(optarg, &dp->tlsrec) && !parse_tlspos(optarg, &dp->tlsrec))
{
DLOG_ERR("Invalid argument for tlsrec\n");
@ -1039,7 +1131,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 35: /* tlsrec-pos */
case IDX_TLSREC_POS:
// obsolete arg
i = atoi(optarg);
dp->tlsrec.marker = PM_ABS;
@ -1051,7 +1143,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 36: /* hostlist */
case IDX_HOSTLIST:
if (bSkip) break;
if (!RegisterHostlist(dp, false, optarg))
{
@ -1060,7 +1152,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 37: /* hostlist-domains */
case IDX_HOSTLIST_DOMAINS:
if (bSkip) break;
if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL)))
{
@ -1074,7 +1166,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 38: /* hostlist-exclude */
case IDX_HOSTLIST_EXCLUDE:
if (bSkip) break;
if (!RegisterHostlist(dp, true, optarg))
{
@ -1083,7 +1175,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 39: /* hostlist-exclude-domains */
case IDX_HOSTLIST_EXCLUDE_DOMAINS:
if (bSkip) break;
if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL)))
{
@ -1097,7 +1189,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 40: /* hostlist-auto */
case IDX_HOSTLIST_AUTO:
if (bSkip) break;
if (dp->hostlist_auto)
{
@ -1126,7 +1218,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true; // need to detect blocks and update autohostlist. cannot just slice.
break;
case 41: /* hostlist-auto-fail-threshold */
case IDX_HOSTLIST_AUTO_FAIL_THRESHOLD:
dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20)
{
@ -1134,7 +1226,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 42: /* hostlist-auto-fail-time */
case IDX_HOSTLIST_AUTO_FAIL_TIME:
dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
if (dp->hostlist_auto_fail_time<1)
{
@ -1142,7 +1234,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 43: /* hostlist-auto-debug */
case IDX_HOSTLIST_AUTO_DEBUG:
{
FILE *F = fopen(optarg,"a+t");
if (!F)
@ -1155,11 +1247,11 @@ void parse_params(int argc, char *argv[])
params.hostlist_auto_debuglog[sizeof(params.hostlist_auto_debuglog) - 1] = '\0';
}
break;
case 44: /* pidfile */
case IDX_PIDFILE:
strncpy(params.pidfile,optarg,sizeof(params.pidfile));
params.pidfile[sizeof(params.pidfile)-1]='\0';
break;
case 45: /* debug */
case IDX_DEBUG:
if (optarg)
{
if (*optarg=='@')
@ -1193,52 +1285,52 @@ void parse_params(int argc, char *argv[])
params.debug_target = LOG_TARGET_CONSOLE;
}
break;
case 46: /* debug-level */
case IDX_DEBUG_LEVEL:
params.debug = atoi(optarg);
break;
case 47: /* dry-run */
case IDX_DRY_RUN:
bDry = true;
break;
case 48: /* version */
case IDX_VERSION:
exit_clean(0);
break;
case 49: /* comment */
case IDX_COMMENT:
break;
case 50: /* local-rcvbuf */
case IDX_LOCAL_RCVBUF:
#ifdef __linux__
params.local_rcvbuf = atoi(optarg)/2;
#else
params.local_rcvbuf = atoi(optarg);
#endif
break;
case 51: /* local-sndbuf */
case IDX_LOCAL_SNDBUF:
#ifdef __linux__
params.local_sndbuf = atoi(optarg)/2;
#else
params.local_sndbuf = atoi(optarg);
#endif
break;
case 52: /* remote-rcvbuf */
case IDX_REMOTE_RCVBUF:
#ifdef __linux__
params.remote_rcvbuf = atoi(optarg)/2;
#else
params.remote_rcvbuf = atoi(optarg);
#endif
break;
case 53: /* remote-sndbuf */
case IDX_REMOTE_SNDBUF:
#ifdef __linux__
params.remote_sndbuf = atoi(optarg)/2;
#else
params.remote_sndbuf = atoi(optarg);
#endif
break;
case 54: /* socks */
case IDX_SOCKS:
params.proxy_type = CONN_TYPE_SOCKS;
break;
case 55: /* no-resolve */
case IDX_NO_RESOLVE:
params.no_resolve = true;
break;
case 56: /* resolver-threads */
case IDX_RESOLVER_THREADS:
params.resolver_threads = atoi(optarg);
if (params.resolver_threads<1 || params.resolver_threads>300)
{
@ -1246,10 +1338,10 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 57: /* skip-nodelay */
case IDX_SKIP_NODELAY:
params.skip_nodelay = true;
break;
case 58: /* tamper-start */
case IDX_TAMPER_START:
{
const char *p=optarg;
if (*p=='n')
@ -1263,7 +1355,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case 59: /* tamper-cutoff */
case IDX_TAMPER_CUTOFF:
{
const char *p=optarg;
if (*p=='n')
@ -1277,7 +1369,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case 60: /* connect-bind-addr */
case IDX_CONNECT_BIND_ADDR:
{
char *p = strchr(optarg,'%');
if (p) *p++=0;
@ -1305,7 +1397,7 @@ void parse_params(int argc, char *argv[])
break;
case 61: /* new */
case IDX_NEW:
if (bSkip)
{
dp_clear(dp);
@ -1326,31 +1418,31 @@ void parse_params(int argc, char *argv[])
anon_hl = anon_hl_exclude = NULL;
anon_ips = anon_ips_exclude = NULL;
break;
case 62: /* skip */
case IDX_SKIP:
bSkip = true;
break;
case 63: /* filter-l3 */
case IDX_FILTER_L3:
if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
{
DLOG_ERR("bad value for --filter-l3\n");
exit_clean(1);
}
break;
case 64: /* filter-tcp */
case IDX_FILTER_TCP:
if (!parse_pf_list(optarg,&dp->pf_tcp))
{
DLOG_ERR("Invalid port filter : %s\n",optarg);
exit_clean(1);
}
break;
case 65: /* filter-l7 */
case IDX_FILTER_L7:
if (!parse_l7_list(optarg,&dp->filter_l7))
{
DLOG_ERR("Invalid l7 filter : %s\n",optarg);
exit_clean(1);
}
break;
case 66: /* ipset */
case IDX_IPSET:
if (bSkip) break;
if (!RegisterIpset(dp, false, optarg))
{
@ -1359,7 +1451,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 67: /* ipset-ip */
case IDX_IPSET_IP:
if (bSkip) break;
if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
{
@ -1373,7 +1465,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 68: /* ipset-exclude */
case IDX_IPSET_EXCLUDE:
if (bSkip) break;
if (!RegisterIpset(dp, true, optarg))
{
@ -1382,7 +1474,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case 69: /* ipset-exclude-ip */
case IDX_IPSET_EXCLUDE_IP:
if (bSkip) break;
if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
{
@ -1398,11 +1490,11 @@ void parse_params(int argc, char *argv[])
break;
#if defined(__FreeBSD__)
case 70: /* enable-pf */
case IDX_ENABLE_PF:
params.pf_enable = true;
break;
#elif defined(__linux__) || defined(__APPLE__)
case 70: /* local-tcp-user-timeout */
case IDX_LOCAL_TCP_USER_TIMEOUT:
params.tcp_user_timeout_local = atoi(optarg);
if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400)
{
@ -1410,7 +1502,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 71: /* remote-tcp-user-timeout */
case IDX_REMOTE_TCP_USER_TIMEOUT:
params.tcp_user_timeout_remote = atoi(optarg);
if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400)
{
@ -1421,7 +1513,7 @@ void parse_params(int argc, char *argv[])
#endif
#if defined(__linux__)
case 72: /* mss */
case IDX_MSS:
// this option does not work in any BSD and MacOS. OS may accept but it changes nothing
dp->mss = atoi(optarg);
if (dp->mss<88 || dp->mss>32767)
@ -1430,7 +1522,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case 73: /* fix-seg */
case IDX_FIX_SEG:
if (!params.fix_seg_avail)
{
DLOG_ERR("--fix-seg is supported since kernel 4.6\n");
@ -1450,7 +1542,7 @@ void parse_params(int argc, char *argv[])
params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT;
break;
#ifdef SPLICE_PRESENT
case 74: /* nosplice */
case IDX_NOSPLICE:
params.nosplice = true;
break;
#endif