From a6d43af9319af7547743da09c63ac9fcb9c643a5 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 11 Dec 2025 01:03:25 +0300 Subject: [PATCH] nfqws2: autohostlist do not react to rseq 0 --- nfq2/conntrack.c | 2 +- nfq2/desync.c | 14 ++++++-------- nfq2/protocol.c | 4 +++- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/nfq2/conntrack.c b/nfq2/conntrack.c index 737dad1..6f0fa16 100644 --- a/nfq2/conntrack.c +++ b/nfq2/conntrack.c @@ -323,7 +323,7 @@ void ConntrackPoolPurge(t_conntrack *p) struct timespec tnow; t_conntrack_pool *t, *tmp; - if (!clock_gettime(CLOCK_REALTIME, &tnow)) return; + if (clock_gettime(CLOCK_REALTIME, &tnow)) return; if ((tnow.tv_sec - p->t_last_purge) >= p->t_purge_interval) { HASH_ITER(hh, p->pool, t, tmp) { diff --git a/nfq2/desync.c b/nfq2/desync.c index 4509ce1..779fdc6 100644 --- a/nfq2/desync.c +++ b/nfq2/desync.c @@ -248,12 +248,10 @@ static bool is_retransmission(const t_ctrack_position *pos) // return true if retrans trigger fires static bool auto_hostlist_retrans(t_ctrack *ctrack, uint8_t l4proto, int threshold, const char *client_ip_port, t_l7proto l7proto) { - if (ctrack && ctrack->dp && ctrack->hostname_ah_check && ctrack->req_retrans_counter != RETRANS_COUNTER_STOP) + if (ctrack && ctrack->dp && ctrack->hostname_ah_check && !ctrack->failure_detect_finalized && ctrack->req_retrans_counter != RETRANS_COUNTER_STOP) { - if (l4proto == IPPROTO_TCP) + if (l4proto == IPPROTO_TCP && ctrack->pos.state!=SYN) { - if (ctrack->failure_detect_finalized) - return false; if (!seq_within(ctrack->pos.client.seq_last, ctrack->pos.client.seq0, ctrack->pos.client.seq0 + ctrack->dp->hostlist_auto_retrans_maxseq)) { ctrack->failure_detect_finalized = true; @@ -1097,17 +1095,17 @@ static uint8_t dpi_desync_tcp_packet_play( // process reply packets for auto hostlist mode // by looking at RSTs or HTTP replies we decide whether original request looks like DPI blocked // we only process first-sequence replies. do not react to subsequent redirects or RSTs - if (!params.server && ctrack && ctrack->hostname_ah_check && !ctrack->failure_detect_finalized) + uint32_t rseq = ctrack->pos.server.seq_last - ctrack->pos.server.seq0; + if (!params.server && ctrack && ctrack->hostname_ah_check && !ctrack->failure_detect_finalized && rseq && dp->hostlist_auto_incoming_maxseq) { char client_ip_port[48]; if (*params.hostlist_auto_debuglog) ntop46_port((struct sockaddr*)&dst, client_ip_port, sizeof(client_ip_port)); else *client_ip_port = 0; - if (seq_within(ctrack->pos.server.seq_last, ctrack->pos.server.seq0, ctrack->pos.server.seq0 + dp->hostlist_auto_incoming_maxseq)) + if (seq_within(ctrack->pos.server.seq_last, ctrack->pos.server.seq0 + 1, ctrack->pos.server.seq0 + dp->hostlist_auto_incoming_maxseq)) { bool bFail = false; - uint32_t rseq = ctrack->pos.server.seq_last - ctrack->pos.server.seq0; if (dis->tcp->th_flags & TH_RST) { @@ -1117,7 +1115,7 @@ static uint8_t dpi_desync_tcp_packet_play( } else if (dis->len_payload && l7payload == L7P_HTTP_REPLY) { - DLOG("incoming HTTP reply detected for hostname %s rseq\n", ctrack->hostname, rseq); + DLOG("incoming HTTP reply detected for hostname %s rseq %u\n", ctrack->hostname, rseq); bFail = HttpReplyLooksLikeDPIRedirect(dis->data_payload, dis->len_payload, ctrack->hostname); if (bFail) { diff --git a/nfq2/protocol.c b/nfq2/protocol.c index ca2cdab..5cd9f34 100644 --- a/nfq2/protocol.c +++ b/nfq2/protocol.c @@ -368,8 +368,10 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char * // extract 2nd level domains const char *dhost, *drhost; - if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL) || !FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL)) + if (!FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL)) return false; + if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL)) + return true; // no SLD redirects to SLD // compare 2nd level domains return strcasecmp(dhost, drhost)!=0;