gandc/zapret2
Template
1
0
Fork 0
mirror of https://github.com/bol-van/zapret2.git synced 2026-03-13 22:03:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

AI inspired fixes

Browse Source
This commit is contained in:
bol-van
2026-02-02 10:58:48 +03:00
parent a781f3d1ce
commit 2ddfe55d9a
6 changed files with 22 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/manual.en.md
View File

@@ -1034,7 +1034,7 @@ Direct file operations from Lua code are not recommended unless absolutely neces
These come in three types: `--payload`, `--in-range`, and `--out-range`. Filter values remain active from the moment they are specified until the next override.
- `--payload=type1[,type2][,type2]...` accepts a comma-separated list of known [payloads](#protocol-detection), "all", or "known". The default is `--payload=all`.
- `--payload=type1[,type2][,type3]...` accepts a comma-separated list of known [payloads](#protocol-detection), "all", or "known". The default is `--payload=all`.
- `--(in-range|out-range)=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]` sets conntrack counter ranges for inbound and outbound directions. The default is `--in-range=x`, `--out-range=a`.
Ranges are specified in the following formats: `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`, where `m` is the counter mode, `X` is the lower bound, and `Y` is the upper bound. Modes `x` and `a` are specified as a single letter without a range or counter value. The `-` sign indicates an inclusive upper bound, while `<` indicates an exclusive one.
@@ -1061,7 +1061,7 @@ The following example demonstrates a setup where we attempt to use specific "fak
```
--filter-tcp=80,443 --filter-l7=http,tls
--out-range=-s34228 and
--out-range=-s34228
--in-range=-s5556 --lua-desync=circular
--in-range=x
--payload=tls_client_hello
@@ -1344,8 +1344,6 @@ desync
| func_instance | string | instance name | derived from the function name, instance number, and profile number |
| profile_n | number | profile number | |
| profile_name | string | profile name | optional |
| template_n | number | number of the template the profile is based on | optional |
| template_name | string | name of the template the profile is based on | optional |
| cookie | string | value of the nfqws2 --cookie parameter for the profile | optional |
| outgoing | bool | true if the direction is outgoing | |
| ifin | string | incoming interface name | optional |
@@ -1449,7 +1447,7 @@ All multi-byte numeric values are automatically converted from network byte orde
| th_dport | destination port |
| th_x2 | reserved field; used for extended TCP flags |
| th_off | TCP header size in 4-byte blocks |
| th_flags | TCP flags: TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_FIN, TH_URG, TH_ECE, TH_CWR |
| th_flags | TCP flags: TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECE, TH_CWR |
| th_seq | sequence number |
| th_ack | acknowledgement number |
| th_win | TCP window size |
@@ -1621,12 +1619,12 @@ Before executing `--lua-init`, the C code sets up base constants, blobs, and C f
| IPV6_FLOWLABEL_MASK | number | flow label in ip6_flow | 0x000FFFFF |
| IPV6_FLOWINFO_MASK | number | flow label and traffic class in ip6_flow | 0x0FFFFFFF |
| IPPROTO_IP<br>IPPROTO_IPV6<br>IPPROTO_ICMP<br>IPPROTO_ICMPV6<br>IPPROTO_TCP<br>IPPROTO_UDP<br>IPPROTO_SCTP<br>IPPROTO_HOPOPTS<br>IPPROTO_ROUTING<br>IPPROTO_FRAGMENT<br>IPPROTO_AH<br>IPPROTO_ESP<br>IPPROTO_DSTOPTS<br>IPPROTO_MH<br>IPPROTO_HIP<br>IPPROTO_SHIM6<br>IPPROTO_NONE | number | [IP protocol numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | used in IPv4 and IPv6 |
| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<brICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<br>ICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
| ICMP_UNREACH_NET<br>ICMP_UNREACH_HOST<br>ICMP_UNREACH_PROTOCOL<br>ICMP_UNREACH_PORT<br>ICMP_UNREACH_NEEDFRAG<br>ICMP_UNREACH_SRCFAIL<br>ICMP_UNREACH_NET_UNKNOWN<br>ICMP_UNREACH_HOST_UNKNOWN<br>ICMP_UNREACH_NET_PROHIB<br>ICMP_UNREACH_HOST_PROHIB<br>ICMP_UNREACH_TOSNET<br>ICMP_UNREACH_TOSHOST<br>ICMP_UNREACH_FILTER_PROHIB<br>ICMP_UNREACH_HOST_PRECEDENCE<br>ICMP_UNREACH_PRECEDENCE_CUTOFF | number | icmp codes for destination unreachable |
| ICMP_REDIRECT_NET<br>ICMP_REDIRECT_HOST<br>ICMP_REDIRECT_TOSNET<br>ICMP_REDIRECT_TOSHOST | number | icmp codes for redirect |
| ICMP_TIMXCEED_INTRANS<br>ICMP_TIMXCEED_REASS | number | icmp codes for time exceeded |
| ICMP6_ECHO_REQUEST<br>ICMP6_ECHO_REPLY<br>ICMP6_DST_UNREACH<br>ICMP6_PACKET_TOO_BIG<br>ICMP6_TIME_EXCEEDED<br>ICMP6_PARAM_PROB<br>MLD_LISTENER_QUERY<br>MLD_LISTENER_REPORT<br>MLD_LISTENER_REDUCTION<br>ND_ROUTER_SOLICIT<br>ND_ROUTER_ADVERT<br>ND_NEIGHBOR_SOLICIT<br>ND_NEIGHBOR_ADVERT<br>ND_REDIRECT | number | [icmpv6 types](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) |
| ICMP6_DST_UNREACH_NOROUTE<br>ICMP6_DST_UNREACH_ADMIN<br>ICMP6_DST_UNREACH_BEYONDSCOPE<br>ICMP6_DST_UNREACH_ADDR<br>ICMP6_DST_UNREACH_NOPORT | number | коды icmpv6 для destination unreachable |
| ICMP6_DST_UNREACH_NOROUTE<br>ICMP6_DST_UNREACH_ADMIN<br>ICMP6_DST_UNREACH_BEYONDSCOPE<br>ICMP6_DST_UNREACH_ADDR<br>ICMP6_DST_UNREACH_NOPORT | number | icmpv6 codes for destination unreachable |
| ICMP6_TIME_EXCEED_TRANSIT<br>ICMP6_TIME_EXCEED_REASSEMBLY | number | icmpv6 codes for time exceeded |
| ICMP6_PARAMPROB_HEADER<br>ICMP6_PARAMPROB_NEXTHEADER<br>ICMP6_PARAMPROB_OPTION | number | icmpv6 codes for parameter problem |

10
docs/manual.md
View File

@@ -1164,7 +1164,7 @@ Lua код выполняется с ограниченными правами,
Они бывают трех видов - `--payload`, `--in-range`, `--out-range`.
Значения фильтров действуют с момента их указания до следующего переопределения.
- `--payload=type1[,type2][,type2]...` принимает список известных пейлоадов через зяпятую, "all" или "known". [Список известных пейлоадов](#распознавание-протоколов). По умолчанию `--payload=all`.
- `--payload=type1[,type2][,type3]...` принимает список известных пейлоадов через зяпятую, "all" или "known". [Список известных пейлоадов](#распознавание-протоколов). По умолчанию `--payload=all`.
- `--(in-range|out-range)=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]` задает диапазоны счетчиков conntrack по входящему и исходящему направлениям. По умолчанию `--in-range=x`, `--out-range=a`.
Диапазоны задаются в формах : `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`, где m - режим счетчика, X - нижнее значение, Y - верхнее значение.
@@ -1196,7 +1196,7 @@ nfqws2 следит за превышением верхней границы с
```
--filter-tcp=80,443 --filter-l7=http,tls
--out-range=-s34228 and
--out-range=-s34228
--in-range=-s5556 --lua-desync=circular
--in-range=x
--payload=tls_client_hello
@@ -1486,8 +1486,6 @@ desync
| func_instance | string | название инстанса | производная имени функции, номера инстанса и номера профиля |
| profile_n | number | номер профиля | |
| profile_name | string | название профиля | может отсутствовать |
| template_n | number | номер шаблона, на базе которого создан профиль | может отсутствовать |
| template_name | string | название шаблона, на базе которого создан профиль | может отсутствовать |
| cookie | string | значение параметра nfqws2 --cookie для профиля | может отсутствовать |
| outgoing | bool | true , если направление исходящее | |
| ifin | string | имя входящего интерфейса | может отсутствовать |
@@ -1591,7 +1589,7 @@ ipv6 extension headers и tcp options представляются в форме
| th_dport | порт приемника |
| th_x2 | зарезервированное поле. используется для расширенных tcp flags |
| th_off | размер tcp хедера в блоках по 4 байта |
| th_flags | tcp флаги : TH_FIN,TH_SYN,TH_RST,TH_PUSH,TH_ACK,TH_FIN,TH_URG,TH_ECE,TH_CWR |
| th_flags | tcp флаги : TH_FIN,TH_SYN,TH_RST,TH_PUSH,TH_ACK,TH_URG,TH_ECE,TH_CWR |
| th_seq | sequence number |
| th_ack | acknowledgement number |
| th_win | размер tcp окна |
@@ -1766,7 +1764,7 @@ desync.track всегда отсутствует.
| IPV6_FLOWLABEL_MASK | number | flow label в ip6_flow | 0x000FFFFF |
| IPV6_FLOWINFO_MASK | number | flow label, traffic class в ip6_flow | 0x0FFFFFFF |
| IPPROTO_IP<br>IPPROTO_IPV6<br>IPPROTO_IPIP<br>IPPROTO_ICMP<br>IPPROTO_ICMPV6<br>IPPROTO_TCP<br>IPPROTO_UDP<br>IPPROTO_SCTP<br>IPPROTO_HOPOPTS<br>IPPROTO_ROUTING<br>IPPROTO_FRAGMENT<br>IPPROTO_AH<br>IPPROTO_ESP<br>IPPROTO_DSTOPTS<br>IPPROTO_MH<br>IPPROTO_HIP<br>IPPROTO_SHIM6<br>IPPROTO_NONE | number | [номера IP протоколов](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | используются в ipv4 и ipv6 |
| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<brICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<br>ICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
| ICMP_UNREACH_NET<br>ICMP_UNREACH_HOST<br>ICMP_UNREACH_PROTOCOL<br>ICMP_UNREACH_PORT<br>ICMP_UNREACH_NEEDFRAG<br>ICMP_UNREACH_SRCFAIL<br>ICMP_UNREACH_NET_UNKNOWN<br>ICMP_UNREACH_HOST_UNKNOWN<br>ICMP_UNREACH_NET_PROHIB<br>ICMP_UNREACH_HOST_PROHIB<br>ICMP_UNREACH_TOSNET<br>ICMP_UNREACH_TOSHOST<br>ICMP_UNREACH_FILTER_PROHIB<br>ICMP_UNREACH_HOST_PRECEDENCE<br>ICMP_UNREACH_PRECEDENCE_CUTOFF | number | коды icmp для destination unreachable |
| ICMP_REDIRECT_NET<br>ICMP_REDIRECT_HOST<br>ICMP_REDIRECT_TOSNET<br>ICMP_REDIRECT_TOSHOST | number | коды icmp для icmp redirect |
| ICMP_TIMXCEED_INTRANS<br>ICMP_TIMXCEED_REASS | number | коды icmp для time exceeded |

10
lua/zapret-lib.lua
View File

@@ -1539,7 +1539,7 @@ end
-- checks if filename is gzip compressed
function is_gzip_file(filename)
local f, err = io.open(filename, "r")
local f, err = io.open(filename, "rb")
if not f then
error("is_gzip_file: "..err)
end
@@ -1550,7 +1550,7 @@ end
-- ungzip file to raw string
-- expected_ratio = uncompressed_size/compressed_size (default 4)
function gunzip_file(filename, expected_ratio, read_block_size)
local f, err = io.open(filename, "r")
local f, err = io.open(filename, "rb")
if not f then
error("gunzip_file: "..err)
end
@@ -1590,7 +1590,7 @@ end
-- level : 1..9 (default 9)
-- memlevel : 1..8 (default 8)
function gzip_file(filename, data, expected_ratio, level, memlevel, compress_block_size)
local f, err = io.open(filename, "w")
local f, err = io.open(filename, "wb")
if not f then
error("gzip_file: "..err)
end
@@ -1619,7 +1619,7 @@ function gzip_file(filename, data, expected_ratio, level, memlevel, compress_blo
end
-- reads the whole file
function readfile(filename)
local f, err = io.open(filename, "r")
local f, err = io.open(filename, "rb")
if not f then
error("readfile: "..err)
end
@@ -1637,7 +1637,7 @@ function z_readfile(filename, expected_ratio)
end
-- write data to filename
function writefile(filename, data)
local f, err = io.open(filename, "w")
local f, err = io.open(filename, "wb")
if not f then
error("writefile: "..err)
end

2
lua/zapret-pcap.lua
View File

@@ -30,7 +30,7 @@ function pcap(ctx, desync)
os.remove(_G[fn_cache_name])
end
end
local f = io.open(_G[fn_cache_name], "a")
local f = io.open(_G[fn_cache_name], "ab")
if not f then
error("pcap: could not write to '".._G[fn_cache_name].."'")
end

6
nfq2/desync.c
View File

@@ -1644,6 +1644,7 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
if (bptr)
{
if (a>=e) return NULL;
// name pointer
off = (*a & 0x3F)<<8 | a[1];
p = b + off;
@@ -1929,14 +1930,13 @@ static uint8_t dpi_desync_icmp_packet(
if (pkt_attached)
{
struct dissect adis;
len_attached = pkt_attached - dis->data_payload + dis->len_payload;
proto_dissect_l3l4(pkt_attached, len_attached, &adis, true); // dissect without payload length checks - can be partial
if (!dis->ip && !dis->ip6)
if (!adis.ip && !adis.ip6)
DLOG("attached packet is invalid\n");
else
{
l7payload = dis->ip ? L7P_IPV4 : L7P_IPV6;
l7payload = adis.ip ? L7P_IPV4 : L7P_IPV6;
DLOG("attached packet\n");
packet_debug(false, &adis);
if (ConntrackPoolDoubleSearch(&params.conntrack, &adis, &ctrack, &bReverse))

7
nfq2/protocol.c
View File

@@ -1337,7 +1337,7 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
// quic v2 : initial packets are 01b
if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false;
uint64_t offset=5, sz;
uint64_t offset=5, sz, sz2;
// DCID
if (data[offset] > QUIC_MAX_CID_LENGTH) return false;
@@ -1353,9 +1353,10 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
if (offset >= len) return false;
// payload length
if ((offset + tvb_get_size(data[offset])) > len) return false;
sz2 = tvb_get_size(data[offset]);
if ((offset + sz2) > len) return false;
tvb_get_varint(data + offset, &sz);
offset += sz;
offset += sz2 + sz;
if (offset > len) return false;
return true;