From 12853b8052edfa64350580d7dc0ae8539555c5e0 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 26 Jan 2026 18:39:33 +0300 Subject: [PATCH] zapret-tests: send raw ip protocol --- lua/zapret-tests.lua | 47 +++++++++++++++++++++++++----- nfq2/desync.c | 2 +- nfq2/lua.c | 19 ++++++++---- nfq2/lua.h | 2 +- nfq2/windows/res/32/winicon.o | Bin 0 -> 4550 bytes nfq2/windows/res/32/winmanifest.o | Bin 0 -> 1364 bytes nfq2/windows/res/64/winicon.o | Bin 0 -> 4566 bytes nfq2/windows/res/64/winmanifest.o | Bin 0 -> 1364 bytes nfq2/windows/res/winws_res64.o | Bin 30806 -> 30830 bytes 9 files changed, 55 insertions(+), 15 deletions(-) create mode 100755 nfq2/windows/res/32/winicon.o create mode 100755 nfq2/windows/res/32/winmanifest.o create mode 100755 nfq2/windows/res/64/winicon.o create mode 100755 nfq2/windows/res/64/winmanifest.o diff --git a/lua/zapret-tests.lua b/lua/zapret-tests.lua index 6c39c74..69a072c 100644 --- a/lua/zapret-tests.lua +++ b/lua/zapret-tests.lua @@ -558,6 +558,23 @@ function test_dissect() print( raw1==raw2 and "DISSECT OK" or "DISSECT FAILED" ) test_assert(raw1==raw2) + raw1 = string.sub(reconstruct_dissect(ip6_udp),1,-4-#ip6_udp.payload) + dis1 = dissect(raw1, false) + dis2 = dissect(raw1, true) + local ok = not dis1.ip6 and dis2.ip6 + print("IP6 partial : "..(ok and "OK" or "FAIL")) + test_assert(ok) + + print("IP6+IPP") + dis1 = {ip6 = ip6_udp.ip6, payload=brandom(math.random(1,1))} + raw1 = reconstruct_dissect(dis1,{ip6_last_proto=IPPROTO_IPIP}) + dis2 = dissect(raw1) + raw2 = reconstruct_dissect(dis2,{ip6_preserve_next=true}) + print("IP6+IPP1: "..string2hex(raw1)) + print("IP6+IPP2: "..string2hex(raw2)) + print( raw1==raw2 and "DISSECT OK" or "DISSECT FAILED" ) + test_assert(raw1==raw2) + print("UDP standalone") raw1 = reconstruct_udphdr(ip6_udp.udp) print("UDP1: "..string2hex(raw1)) @@ -576,13 +593,6 @@ function test_dissect() print("IP2: "..string2hex(raw2)) print( raw1==raw2 and "DISSECT OK" or "DISSECT FAILED" ) test_assert(raw1==raw2) - - raw1 = string.sub(reconstruct_dissect(ip6_udp),1,-4-#ip6_udp.payload) - dis1 = dissect(raw1, false) - dis2 = dissect(raw1, true) - local ok = not dis1.ip6 and dis2.ip6 - print("IP6 partial : "..(ok and "OK" or "FAIL")) - test_assert(ok) end end @@ -967,4 +977,27 @@ function test_rawsend(opts) dis = {ip6 = ip6, icmp = icmp, payload = payload} print("send ipv6 icmp") test_assert(rawsend_dissect_print(dis, {fwmark = 0x8E10, repeats=3})) + + local ip2 = { + ip_tos = 0, + ip_id = math.random(0,0xFFFF), + ip_off = 0, + ip_ttl = 64, + ip_p = IPPROTO_UDP, + ip_src = pton("10.1.1.1"), + ip_dst = pton("10.1.1.2"), + } + + dis = {ip = ip2, udp = udp, payload = payload} + raw_udp = reconstruct_dissect(dis) + + ip6.ip6_flow=0x6000583F + dis = {ip6 = ip6, payload = raw_udp} + print("send ipv6 ipip") + test_assert(rawsend_dissect_print(dis, {fwmark = 0x8E10, repeats=3}, {ip6_last_proto=IPPROTO_IPIP})) + + dis = {ip = ip, payload = raw_udp} + dis.ip.ip_p = IPPROTO_IPIP + print("send ipv4 ipip") + test_assert(rawsend_dissect_print(dis, {fwmark = 0x8E10, repeats=3}, {ip6_last_proto=IPPROTO_IPIP})) end diff --git a/nfq2/desync.c b/nfq2/desync.c index 43931f5..12868e6 100644 --- a/nfq2/desync.c +++ b/nfq2/desync.c @@ -1073,7 +1073,7 @@ static uint8_t desync( } else { - b = lua_reconstruct_dissect(params.L, -1, mod_pkt, len_mod_pkt, false, false, false); + b = lua_reconstruct_dissect(params.L, -1, mod_pkt, len_mod_pkt, false, false, IPPROTO_NONE, false); lua_pop(params.L, 2); if (!b) { diff --git a/nfq2/lua.c b/nfq2/lua.c index 9939b5c..ba5e979 100644 --- a/nfq2/lua.c +++ b/nfq2/lua.c @@ -2353,7 +2353,8 @@ uint8_t lua_ip6_l4proto_from_dissect(lua_State *L, int idx) return IPPROTO_NONE; } -bool lua_reconstruct_dissect(lua_State *L, int idx, uint8_t *buf, size_t *len, bool keepsum, bool badsum, bool ip6_preserve_next) +// last_proto = IPPROTO_NONE means auto detect +bool lua_reconstruct_dissect(lua_State *L, int idx, uint8_t *buf, size_t *len, bool keepsum, bool badsum, uint8_t last_proto, bool ip6_preserve_next) { uint8_t *data = buf; size_t sz,l,lpayload,l3,left = *len; @@ -2386,7 +2387,7 @@ bool lua_reconstruct_dissect(lua_State *L, int idx, uint8_t *buf, size_t *len, b lua_getfield(L,idx,"ip6"); if (lua_type(L,-1)!=LUA_TTABLE) goto err; ip6 = (struct ip6_hdr*)data; - if (!lua_reconstruct_ip6hdr(L,-1, ip6, &l, lua_ip6_l4proto_from_dissect(L,idx), ip6_preserve_next)) + if (!lua_reconstruct_ip6hdr(L,-1, ip6, &l, last_proto==IPPROTO_NONE ? lua_ip6_l4proto_from_dissect(L,idx) : last_proto, ip6_preserve_next)) { DLOG_ERR("reconstruct_dissect: bad ip6\n"); goto err; @@ -2556,12 +2557,14 @@ static int luacall_reconstruct_dissect(lua_State *L) size_t l; uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned(16))); + uint8_t last_proto; + l = sizeof(buf); bool ip6_preserve_next, badsum, keepsum; - lua_reconstruct_extract_options(L, 2, &keepsum, &badsum, &ip6_preserve_next, NULL); + lua_reconstruct_extract_options(L, 2, &keepsum, &badsum, &ip6_preserve_next, &last_proto); - if (!lua_reconstruct_dissect(L, 1, buf, &l, keepsum, badsum, ip6_preserve_next)) + if (!lua_reconstruct_dissect(L, 1, buf, &l, keepsum, badsum, last_proto, ip6_preserve_next)) luaL_error(L, "invalid dissect data"); lua_pushlstring(L,(char*)buf,l); @@ -2865,13 +2868,15 @@ static int luacall_rawsend_dissect(lua_State *L) sockaddr_in46 sa; bool b, badsum, keepsum, ip6_preserve_next; uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned(16))); + uint8_t last_proto; + len = sizeof(buf); luaL_checktype(L,1,LUA_TTABLE); lua_rawsend_extract_options(L,2, &repeats, &fwmark, &ifout); - lua_reconstruct_extract_options(L, 3, &keepsum, &badsum, &ip6_preserve_next, NULL); + lua_reconstruct_extract_options(L, 3, &keepsum, &badsum, &ip6_preserve_next, &last_proto); - if (!lua_reconstruct_dissect(L, 1, buf, &len, keepsum, badsum, ip6_preserve_next)) + if (!lua_reconstruct_dissect(L, 1, buf, &len, keepsum, badsum, last_proto, ip6_preserve_next)) luaL_error(L, "invalid dissect data"); if (!extract_dst(buf, len, (struct sockaddr*)&sa)) @@ -3868,11 +3873,13 @@ static void lua_init_const(void) {"IPV6_FLOWINFO_MASK",0x0FFFFFFF}, {"IPPROTO_IP",IPPROTO_IP}, + {"IPPROTO_IPIP",IPPROTO_IPIP}, {"IPPROTO_IPV6",IPPROTO_IPV6}, {"IPPROTO_ICMP",IPPROTO_ICMP}, {"IPPROTO_TCP",IPPROTO_TCP}, {"IPPROTO_UDP",IPPROTO_UDP}, {"IPPROTO_ICMPV6",IPPROTO_ICMPV6}, + {"IPPROTO_SCTP",IPPROTO_SCTP}, {"IPPROTO_HOPOPTS",IPPROTO_HOPOPTS}, {"IPPROTO_ROUTING",IPPROTO_ROUTING}, {"IPPROTO_FRAGMENT",IPPROTO_FRAGMENT}, diff --git a/nfq2/lua.h b/nfq2/lua.h index b9aaac1..d7b055c 100644 --- a/nfq2/lua.h +++ b/nfq2/lua.h @@ -112,7 +112,7 @@ bool lua_reconstruct_iphdr(lua_State *L, int idx, struct ip *ip, size_t *len); bool lua_reconstruct_tcphdr(lua_State *L, int idx, struct tcphdr *tcp, size_t *len); bool lua_reconstruct_udphdr(lua_State *L, int idx, struct udphdr *udp); bool lua_reconstruct_icmphdr(lua_State *L, int idx, struct icmp46 *icmp); -bool lua_reconstruct_dissect(lua_State *L, int idx, uint8_t *buf, size_t *len, bool keepsum, bool badsum, bool ip6_preserve_next); +bool lua_reconstruct_dissect(lua_State *L, int idx, uint8_t *buf, size_t *len, bool keepsum, bool badsum, uint8_t last_proto, bool ip6_preserve_next); typedef struct { unsigned int func_n; diff --git a/nfq2/windows/res/32/winicon.o b/nfq2/windows/res/32/winicon.o new file mode 100755 index 0000000000000000000000000000000000000000..8b8eaf6b78e7022e396803babe9287de885c35cb GIT binary patch literal 4550 zcmeHLYitx%6h1R^XJ==2w~wW4(^6o;R%k1w#Gr`O)}%rqKzRnFRcf`B(r6IEqirnZ zAwe69iTDFhBTgV;<;7=J{n?}QTspm~3DS+I=eEfG4L86Hh zpdpU>dDK%E(FEQ86oYk@^;sl6LFZY~=aK*%{}v%WAo(PLenPE?{7VW?s2@+_Bq<;f z^brjR{~L8&252H!Ebjr6-Gsq@B`Kvj!iEIQR0Fc9+YoOudtq4eM|3Ti<_JZD;d~f5 zrV|dgBb@%dk4Oivp_o^U5NE#`(tQv#YYU`jcftPCeem3d>GR7dj2h=7e6ayv^wK(5 z_?#OKoI$9nMYx1_g`GuY<(m*RTN^12*A+F}DVYDPA6mV4agjQ(q6XQAXHc5+0?*~T zXflKOdRSEM*6p3V)yt;PiYSvUAt}WNcE>@|O#)di2b1E4Ra<<9K9CLhcn?Z*D>(mp z1HR~`Ab&*Mz2c#DcJvPv^A{l4lYa^+XM$O6hxLttXe^)0Cjv3!7k(xF&HE5+i9SfM zZzg^P6t$7~J+SYGUik|95-WbGg<@H|i)t_NHt`nfv0H2hAa_bP9Bwn@j%EDfdE(#t z8G>r<0ZFPLet~L#52TLjf=_?E@BBO#;R5-v=NJlU>3&Fb?A3kXz9{Byc;^d4A7YjN z@P4ubmryOu-yz_g0{(WFg*g@P1n6-MaSY5E=W5d{E zx&PA7RQpwL@Y=sl+?jgp7TZxMEcU?Jj{DBfV-e4JkyUIBP~2V;{-{g>t8G8nhr8hG zW1TI`;VhV&jG&|o0L{~WlL=Lztz_}o{NamH*F|n{}d+gA46my>lQ2gh0et^e8)owz;EEgQVVW?v|;zA*7vY+rJA)SFb zh0fP8djIfBs@B6)jrU&Sa0kWW0SleKIQxwVBR0^q_qk3O$8}`0*~e7XPy6Gid&Nn@ zn<8}nX;_vvBIQm)-OD&G-PuLpT9UC5Vq}ZIf^keO*Lh~?JWO^Z@wm%KhT0a7agMyb zvuPtv$R5{8%9TSfP|0|9Cpmzv_>^|xRUI?<54VfKVSdHv6vo*$59c~>-`zquqyy9=M3>Z>S!8WR%Y zyo8(9A9jHCI8hY6+c&Spb*n3pF~-ke@&NeorBueG?p4)gxOCARlthuA|M>95q4Z|6 z^4+W%1wNjGX;U9|D~jm?=?9Gd4r(<=X3V`| z&5QW-P@byEx2uvQdW)XQ^EYm*!FjW%qbxI?`5*?J^oZzko*RaLPJ8@Fx1rq}C;yAWy3C(Gi>d*O`MAs?1e z9y+tLGCUKq$Md*6gh}N%QG{x$@$UMXm#}2XTzp{cXsT7_kt8UMw(~FN4#vcKn?-9U zU-)^P9J0sEit;VhoX2X>t`TMvtvd$G)gd&*cL)#^s?!djIq&(JJ~vv6!05US@jl^7 zzHhX z8fPK0y=bMVyB4P58f1?NZTy@Qfu+4Zy zL)3^?E3o~=@UYo2LPc+uwx74E`_Eu3^lr}4LbWuyUvHPrVBqu89Rc#4(JNiUCD`5G zaQD@XbL?HlXRv}A)qb9a-dP)XAsgLl+Z)k$CX9CeMfBI;MKmN*MEiWaZ{hA>A$ncv z+A;lihIiop;J0km zAlV0jlpJJ|0Z|h{ zV_d3|x!OR6U8NGtGbIxuXd?1WZMIB`Xz(gGUn9En*j-nNc5P*LyzNlFXL)%N3_GRo KijM-{#(n`yR($^e literal 0 HcmV?d00001 diff --git a/nfq2/windows/res/64/winicon.o b/nfq2/windows/res/64/winicon.o new file mode 100755 index 0000000000000000000000000000000000000000..36180cb4fc5c6a4e9e9f7ad60566392f0bcbf020 GIT binary patch literal 4566 zcmeHLYitx%6h1R^XJ==2w~wW4(^6nT5Xwp^F(_hdYf_#8$}=ET!AdKo(NstaEwL>R z3EEgl#2-L35XBfpBWMirLxEt3JW7QGEsqxX0U;PI(sp;*$MM|RE^N#6>Gqf2^vr#I z=X~d!duC=ktF{Ti+p&0n(1=0W+I4GR(^o^6657k4;X&$o6G^fmJ)4goH4!A5I033- zsGmnYbrDU_?N2sXR~f+02qYhJU#jVEbr<-3v@gRVm`O4lrqT@H8D_$lr2 zP2%}uBaOm7)cy7aV@EQuk#`p=J z+Y>qMm%+kUJ#e@Vp{N4kDn1l;9+Bm5LeOlDgd42e(rjm8{wo1!@IAyu>cHx9WS`Wb zG-nmhWtpzi{bfBY%J=B@&fM)_Q)obx$(E3i=lRFBG#DAlMUsX}6aOX0-{{*91Fb`CL97j2gf2JMnKm zfMARFL!5mx@hhOHHN@|Q13z`hSJ;sP^|l@~~F;;^zV9=dlQv$%nlsQAimTfOyA#-3RWAVs3*E zzcTb8TKNy3Cp&x%#R-`~s=uT98St}EEqCFaJp)>Qy!PZ>Kl1zE57xLH#I1l?s|1VH z4Ld$Fj6Is?Fa1ijU-TZY{aeJHs>g1zoq(KNFPv{4aDE<(c)^FPU~7=#_L1;cX98Gl zhrmAA4d2!q`VjT=KkGwj#tM4=I4 zjAYqrWcyF|<@uWjmy1!1+?+>4(Y7dyI@!m%qo{(6)V4?dj#(q1(hz&IDW3Cg%aUI!g_A^xt z(D?-DS#gH&rU;#$hAUHsB;Bvx_$H1S;T(EzS8WxJca3Qw<-$G~DC9cDg?Tt6Ig$VFS=??a6s@ zioYQLC5(%U@ewYgD{MFGF`_8?wr?)QvbBZC7~}U~VmJ8kRx)E!TS@UsT)JouN}|Z` z|Jd+mUwX4y`C-=dY(LLI#+0W$iekD<`l0u}u_2dYGF^S{*@@nY(lt17f(xw{^@K6B zSF33EQ|-H;^FH)CpMpk`Y+&YL|AWts8Z zr-gC->FF#BRkPye`K;Z(5f|ppK;jFMt!LWp&7?fJiwc%u&9)6#`|d{K&Ouu9%d)tp zKb)O)$cJT=hZfhk(cbZ{u{VUjsc6rq@EysfhQ4P3rtEB~EAPD+T|eA?U8}Y!5(! QeGf;G-)cCDK046#ANCkE0{{R3 literal 0 HcmV?d00001 diff --git a/nfq2/windows/res/64/winmanifest.o b/nfq2/windows/res/64/winmanifest.o new file mode 100755 index 0000000000000000000000000000000000000000..0ca3b2f7a4c8004b7859ca5950084614780b7562 GIT binary patch literal 1364 zcmb_cQE$^Q5Kgu6(qF)%$-5gncG6@@yCDH$5)w#^!K)LWH%m!e?6lj2ka*%p@Jo5b zZt2!ZP|&oKY@N^Foxk(hC%=!PAoC|tw9yWuiFLMFTQ}3s!zik}$~`7Xz@0?oB$K@-F`bYYLEjju`-@rp;p`PI zV&n$VOVOGhX7LTU_;^09gmci~L+aI~+5<1~v*rgjzdu9GJ7>k3OcXZG!tsZVROK-67dFhV;`OfNzE(OkH>3OJH;sR2MManrz(@d32JPwayFApwKl@`Eo#_AGt&MB@%*$Bz@R_5bPhYCF_$icl%8M@*@ H6x!G?{WN_S literal 0 HcmV?d00001 diff --git a/nfq2/windows/res/winws_res64.o b/nfq2/windows/res/winws_res64.o index 897ca6d8800e964804f0ddcb971c2c45f3119c32..d48e1bbf7187c7886cb023bc34d8800e3980c273 100644 GIT binary patch delta 299 zcmccif$`l3M$VKrMg|awn8+#3`JkME!3M~Y*{EC1$hc|qO2$uxjJ%U)7kdH8r^V)i zyj%)EU{jo$Tw0V_QfbFKS-V6ADCb_{03_Q>WR;*Q^btycT5R-7ib{)1JoD1>fm#li zxQalPB^DIqWF{w;Waj4qB^=A0CdZU=0!{i~CONsTR0GHYim{n1=;{KcL4s^$P{GLs zWvozzeK0W&3q3=aQYWxp52%tw<(g(Nm!a4Rc3g6PZUN8@NtrodKXKXUCl(i{<|gHU JJovXf5&-BST>Jn4 delta 268 zcmaF&f$`c0M$VKrMg|aYn8+#3d7_+w!3M}-*{EC1$T(~BO2$uxljjtBO@3Z%&d;R) z1UAK~$)!b^C6#uQ^-E+X`;<6L?k$m(hsf!}C4qb!{gR^6;u6oiw0yhCXG&a!AZii| z3UV@&6H7Al^Xw+umN{{TWfqqtD(LFkO)e~T1c|VkLwS;uMandQBJMyL$;tD;Y-ct- zL$I`9xf4h+o1p<*^|o?NBd9}=Z2`L_IX|}mXlYVr4#@3XHu{Oh#i_YTIY57iRzv~- DCbU+q