From e61967ac2bdc4f69b79616f71326f220b4a39edf Mon Sep 17 00:00:00 2001 From: bol-van Date: Tue, 2 Dec 2025 21:38:13 +0300 Subject: [PATCH] nfqws2: profile names --- nfq2/desync.c | 35 ++++++++++++++++++----------------- nfq2/hostlist.c | 12 ++++++------ nfq2/ipset.c | 10 +++++----- nfq2/nfqws.c | 23 +++++++++++++++++------ nfq2/params.c | 1 + nfq2/params.h | 2 ++ 6 files changed, 49 insertions(+), 34 deletions(-) diff --git a/nfq2/desync.c b/nfq2/desync.c index 9e2496f..21e74a5 100644 --- a/nfq2/desync.c +++ b/nfq2/desync.c @@ -209,7 +209,7 @@ static struct desync_profile *dp_find( { if (dp_match(&dpl->dp, l3proto, ip, ip6, port, hostname, bNoSubdom, l7proto, ssid, bCheckDone, bCheckResult, bExcluded)) { - DLOG("desync profile %u matches\n", dpl->dp.n); + DLOG("desync profile %u (%s) matches\n", dpl->dp.n, PROFILE_NAME(&dpl->dp)); return &dpl->dp; } } @@ -234,8 +234,8 @@ static void auto_hostlist_reset_fail_counter(struct desync_profile *dp, const ch if (fail_counter) { HostFailPoolDel(&dp->hostlist_auto_fail_counters, fail_counter); - DLOG("auto hostlist (profile %u) : %s : fail counter reset. website is working.\n", dp->n, hostname); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : fail counter reset. website is working.", hostname, dp->n, client_ip_port, l7proto_str(l7proto)); + DLOG("auto hostlist (profile %u (%s)) : %s : fail counter reset. website is working.\n", dp->n, PROFILE_NAME(dp), hostname); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : fail counter reset. website is working.", hostname, dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto)); } } } @@ -283,19 +283,19 @@ static void auto_hostlist_failed(struct desync_profile *dp, const char *hostname } } fail_counter->counter++; - DLOG("auto hostlist (profile %u) : %s : fail counter %d/%d\n", dp->n, hostname, fail_counter->counter, dp->hostlist_auto_fail_threshold); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : fail counter %d/%d", hostname, dp->n, client_ip_port, l7proto_str(l7proto), fail_counter->counter, dp->hostlist_auto_fail_threshold); + DLOG("auto hostlist (profile %u (%s)) : %s : fail counter %d/%d\n", dp->n, PROFILE_NAME(dp), hostname, fail_counter->counter, dp->hostlist_auto_fail_threshold); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : fail counter %d/%d", hostname, dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto), fail_counter->counter, dp->hostlist_auto_fail_threshold); if (fail_counter->counter >= dp->hostlist_auto_fail_threshold) { - DLOG("auto hostlist (profile %u) : fail threshold reached. about to add %s to auto hostlist\n", dp->n, hostname); + DLOG("auto hostlist (profile %u (%s)) : fail threshold reached. about to add %s to auto hostlist\n", dp->n, PROFILE_NAME(dp), hostname); HostFailPoolDel(&dp->hostlist_auto_fail_counters, fail_counter); - DLOG("auto hostlist (profile %u) : rechecking %s to avoid duplicates\n", dp->n, hostname); + DLOG("auto hostlist (profile %u (%s)) : rechecking %s to avoid duplicates\n", dp->n, PROFILE_NAME(dp), hostname); bool bExcluded = false; if (!HostlistCheck(dp, hostname, bNoSubdom, &bExcluded, false) && !bExcluded) { DLOG("auto hostlist (profile %u) : adding %s to %s\n", dp->n, hostname, dp->hostlist_auto->filename); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : adding to %s", hostname, dp->n, client_ip_port, l7proto_str(l7proto), dp->hostlist_auto->filename); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : adding to %s", hostname, dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto), dp->hostlist_auto->filename); if (!HostlistPoolAddStr(&dp->hostlist_auto->hostlist, hostname, 0)) { DLOG_ERR("StrPoolAddStr out of memory\n"); @@ -312,7 +312,7 @@ static void auto_hostlist_failed(struct desync_profile *dp, const char *hostname else { DLOG("auto hostlist (profile %u) : NOT adding %s\n", dp->n, hostname); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : NOT adding, duplicate detected", hostname, dp->n, client_ip_port, l7proto_str(l7proto)); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : NOT adding, duplicate detected", hostname, dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto)); } } } @@ -328,7 +328,7 @@ static void process_retrans_fail(t_ctrack *ctrack, uint8_t proto, const struct s *client_ip_port = 0; if (ctrack && ctrack->dp && ctrack->hostname && auto_hostlist_retrans(ctrack, proto, ctrack->dp->hostlist_auto_retrans_threshold, client_ip_port, ctrack->l7proto)) { - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : retrans threshold reached", ctrack->hostname, ctrack->dp->n, client_ip_port, l7proto_str(ctrack->l7proto)); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : retrans threshold reached", ctrack->hostname, ctrack->dp->n, PROFILE_NAME(ctrack->dp), client_ip_port, l7proto_str(ctrack->l7proto)); auto_hostlist_failed(ctrack->dp, ctrack->hostname, ctrack->hostname_is_ip, client_ip_port, ctrack->l7proto); } } @@ -719,10 +719,11 @@ static uint8_t desync( else { // create arg table that persists across multiple desync function calls - lua_createtable(params.L, 0, 12 + !!ctrack + !!dis->tcp + 3*!!replay_piece_count); + lua_createtable(params.L, 0, 12 + !!dp->name + !!ctrack + !!dis->tcp + 3*!!replay_piece_count); lua_pushf_dissect(dis); lua_pushf_ctrack(ctrack); lua_pushf_int("profile_n", dp->n); + if (dp->name) lua_pushf_str("profile_name", dp->name); lua_pushf_bool("outgoing", !bIncoming); lua_pushf_str("ifin", (ifin && *ifin) ? ifin : NULL); lua_pushf_str("ifout", (ifout && *ifout) ? ifout : NULL); @@ -943,7 +944,7 @@ static uint8_t dpi_desync_tcp_packet_play(unsigned int replay_piece, unsigned in l7proto = ctrack_replay->l7proto; dp = ctrack_replay->dp; if (dp) - DLOG("using cached desync profile %u\n", dp->n); + DLOG("using cached desync profile %u (%s)\n", dp->n, PROFILE_NAME(dp)); else if (!ctrack_replay->dp_search_complete) { dp = ctrack_replay->dp = dp_find(¶ms.desync_profiles, IPPROTO_TCP, sdip4, sdip6, sdport, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, l7proto, ssid, NULL, NULL, NULL); @@ -979,7 +980,7 @@ static uint8_t dpi_desync_tcp_packet_play(unsigned int replay_piece, unsigned in #endif if (ctrack) l7proto = ctrack->l7proto; if (dp) - DLOG("using cached desync profile %u\n", dp->n); + DLOG("using cached desync profile %u (%s)\n", dp->n, PROFILE_NAME(dp)); else if (!ctrack || !ctrack->dp_search_complete) { const char *hostname = NULL; @@ -1073,7 +1074,7 @@ static uint8_t dpi_desync_tcp_packet_play(unsigned int replay_piece, unsigned in if (dis->tcp->th_flags & TH_RST) { DLOG("incoming RST detected for hostname %s\n", ctrack->hostname); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : incoming RST", ctrack->hostname, ctrack->dp->n, client_ip_port, l7proto_str(l7proto)); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : incoming RST", ctrack->hostname, ctrack->dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto)); bFail = true; } else if (dis->len_payload && l7proto == L7_HTTP) @@ -1085,7 +1086,7 @@ static uint8_t dpi_desync_tcp_packet_play(unsigned int replay_piece, unsigned in if (bFail) { DLOG("redirect to another domain detected. possibly DPI redirect.\n"); - HOSTLIST_DEBUGLOG_APPEND("%s : profile %u : client %s : proto %s : redirect to another domain", ctrack->hostname, ctrack->dp->n, client_ip_port, l7proto_str(l7proto)); + HOSTLIST_DEBUGLOG_APPEND("%s : profile %u (%s) : client %s : proto %s : redirect to another domain", ctrack->hostname, ctrack->dp->n, PROFILE_NAME(dp), client_ip_port, l7proto_str(l7proto)); } else DLOG("local or in-domain redirect detected. it's not a DPI redirect.\n"); @@ -1416,7 +1417,7 @@ static uint8_t dpi_desync_udp_packet_play(unsigned int replay_piece, unsigned in l7proto = ctrack_replay->l7proto; dp = ctrack_replay->dp; if (dp) - DLOG("using cached desync profile %u\n", dp->n); + DLOG("using cached desync profile %u (%s)\n", dp->n, PROFILE_NAME(dp)); else if (!ctrack_replay->dp_search_complete) { dp = ctrack_replay->dp = dp_find(¶ms.desync_profiles, IPPROTO_UDP, sdip4, sdip6, sdport, ctrack_replay->hostname, ctrack_replay->hostname_is_ip, l7proto, ssid, NULL, NULL, NULL); @@ -1452,7 +1453,7 @@ static uint8_t dpi_desync_udp_packet_play(unsigned int replay_piece, unsigned in #endif if (ctrack) l7proto = ctrack->l7proto; if (dp) - DLOG("using cached desync profile %u\n", dp->n); + DLOG("using cached desync profile %u (%s)\n", dp->n, PROFILE_NAME(dp)); else if (!ctrack || !ctrack->dp_search_complete) { const char *hostname = NULL; diff --git a/nfq2/hostlist.c b/nfq2/hostlist.c index dcbd8fe..f783b16 100644 --- a/nfq2/hostlist.c +++ b/nfq2/hostlist.c @@ -258,7 +258,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con // return : true = apply fooling, false = do not apply bool HostlistCheck(const struct desync_profile *dp, const char *host, bool no_match_subdomains, bool *excluded, bool bSkipReloadCheck) { - DLOG("* hostlist check for profile %u\n",dp->n); + DLOG("* hostlist check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp)); return HostlistCheck_(&dp->hl_collection, &dp->hl_collection_exclude, host, no_match_subdomains, excluded, bSkipReloadCheck); } @@ -323,18 +323,18 @@ void HostlistsDebug() if (hl_item->hfile!=dpl->dp.hostlist_auto) { if (hl_item->hfile->filename) - DLOG("profile %u include hostlist %s%s\n",dpl->dp.n, hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)"); + DLOG("profile %u (%s) include hostlist %s%s\n",dpl->dp.n, PROFILE_NAME(&dpl->dp), hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)"); else - DLOG("profile %u include fixed hostlist%s\n",dpl->dp.n, hl_item->hfile->hostlist ? "" : " (empty)"); + DLOG("profile %u (%s) include fixed hostlist%s\n",dpl->dp.n, PROFILE_NAME(&dpl->dp), hl_item->hfile->hostlist ? "" : " (empty)"); } LIST_FOREACH(hl_item, &dpl->dp.hl_collection_exclude, next) { if (hl_item->hfile->filename) - DLOG("profile %u exclude hostlist %s%s\n",dpl->dp.n,hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)"); + DLOG("profile %u (%s) exclude hostlist %s%s\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)"); else - DLOG("profile %u exclude fixed hostlist%s\n",dpl->dp.n,hl_item->hfile->hostlist ? "" : " (empty)"); + DLOG("profile %u (%s) exclude fixed hostlist%s\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),hl_item->hfile->hostlist ? "" : " (empty)"); } if (dpl->dp.hostlist_auto) - DLOG("profile %u auto hostlist %s%s\n",dpl->dp.n,dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)"); + DLOG("profile %u (%s) auto hostlist %s%s\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)"); } } diff --git a/nfq2/ipset.c b/nfq2/ipset.c index f9ba0fc..27bbadd 100644 --- a/nfq2/ipset.c +++ b/nfq2/ipset.c @@ -235,7 +235,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, const struct in6_addr *ipv6) { if (PROFILE_IPSETS_ABSENT(dp)) return true; - DLOG("* ipset check for profile %u\n",dp->n); + DLOG("* ipset check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp)); return IpsetCheck_(&dp->ips_collection,&dp->ips_collection_exclude,ipv4,ipv6); } @@ -307,13 +307,13 @@ void IpsetsDebug() { LIST_FOREACH(ips_item, &dpl->dp.ips_collection, next) if (ips_item->hfile->filename) - DLOG("profile %u include ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset)); + DLOG("profile %u (%s) include ipset %s (%s)\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset)); else - DLOG("profile %u include fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset)); + DLOG("profile %u (%s) include fixed ipset (%s)\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),dbg_ipset_fill(&ips_item->hfile->ipset)); LIST_FOREACH(ips_item, &dpl->dp.ips_collection_exclude, next) if (ips_item->hfile->filename) - DLOG("profile %u exclude ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset)); + DLOG("profile %u (%s) exclude ipset %s (%s)\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset)); else - DLOG("profile %u exclude fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset)); + DLOG("profile %u (%s) exclude fixed ipset (%s)\n",dpl->dp.n,PROFILE_NAME(&dpl->dp),dbg_ipset_fill(&ips_item->hfile->ipset)); } } diff --git a/nfq2/nfqws.c b/nfq2/nfqws.c index 33be666..ca9e919 100644 --- a/nfq2/nfqws.c +++ b/nfq2/nfqws.c @@ -99,7 +99,7 @@ static void onusr2(int sig) struct desync_profile_list *dpl; LIST_FOREACH(dpl, ¶ms.desync_profiles, next) { - printf("\nDESYNC profile %u\n", dpl->dp.n); + printf("\nDESYNC profile %u (%s)\n", dpl->dp.n, PROFILE_NAME(&dpl->dp)); HostFailPoolDump(dpl->dp.hostlist_auto_fail_counters); } printf("\nIPCACHE\n"); @@ -1165,7 +1165,7 @@ static void LuaDesyncDebug(struct desync_profile *dp) int n,i; LIST_FOREACH(func, &dp->lua_desync, next) { - DLOG("profile %u lua %s(",dp->n,func->func); + DLOG("profile %u (%s) lua %s(",dp->n,PROFILE_NAME(dp),func->func); n=0; LIST_FOREACH(arg, &func->args, next) { @@ -1412,8 +1412,9 @@ static void exithelp(void) " --lua-init=@|\t\t\t; load LUA program from a file or string. if multiple parameters present order of execution is preserved.\n" " --lua-gc=\t\t\t\t\t\t; forced garbage collection every N sec. default %u sec. triggers only when a packet arrives. 0 = disable.\n" "\nMULTI-STRATEGY:\n" - " --new\t\t\t\t\t\t\t; begin new strategy\n" - " --skip\t\t\t\t\t\t\t; do not use this strategy\n" + " --new\t\t\t\t\t\t\t; begin new profile\n" + " --skip\t\t\t\t\t\t\t; do not use this profile\n" + " --name\t\t\t\t\t\t\t; set profile name\n" " --filter-l3=ipv4|ipv6\t\t\t\t\t; L3 protocol filter. multiple comma separated values allowed.\n" " --filter-tcp=[~]port1[-port2]|*\t\t\t; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list allowed.\n" " --filter-udp=[~]port1[-port2]|*\t\t\t; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list allowed.\n" @@ -1563,6 +1564,7 @@ enum opt_indices { IDX_HOSTLIST_AUTO_DEBUG, IDX_NEW, IDX_SKIP, + IDX_NAME, IDX_FILTER_L3, IDX_FILTER_TCP, IDX_FILTER_UDP, @@ -1643,6 +1645,7 @@ static const struct option long_options[] = { [IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0}, [IDX_NEW] = {"new", no_argument, 0, 0}, [IDX_SKIP] = {"skip", no_argument, 0, 0}, + [IDX_NAME] = {"name", required_argument, 0, 0}, [IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0}, [IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0}, [IDX_FILTER_UDP] = {"filter-udp", required_argument, 0, 0}, @@ -2138,6 +2141,14 @@ int main(int argc, char **argv) case IDX_SKIP: bSkip = true; break; + case IDX_NAME: + free(dp->name); + if (!(dp->name = strdup(optarg))) + { + DLOG_ERR("out of memory\n"); + exit_clean(1); + } + break; case IDX_FILTER_L3: if (!wf_make_l3(optarg, &dp->filter_ipv4, &dp->filter_ipv6)) @@ -2424,7 +2435,7 @@ int main(int argc, char **argv) DLOG("adding low-priority default empty desync profile\n"); // add default empty profile - if (!(dpl = dp_list_add(¶ms.desync_profiles))) + if (!(dpl = dp_list_add(¶ms.desync_profiles)) || !(dpl->dp.name=strdup("no_action"))) { DLOG_ERR("desync_profile_add: out of memory\n"); exit_clean(1); @@ -2464,7 +2475,7 @@ int main(int argc, char **argv) if (params.droproot) #endif { - if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename)) + if (dp->hostlist_auto && !ensure_file_access(dp->hostlist_auto->filename)) DLOG_ERR("could not make '%s' accessible. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename); } diff --git a/nfq2/params.c b/nfq2/params.c index 6e9b714..c80cd09 100644 --- a/nfq2/params.c +++ b/nfq2/params.c @@ -369,6 +369,7 @@ static void dp_clear_dynamic(struct desync_profile *dp) strlist_destroy(&dp->filter_ssid); #endif HostFailPoolDestroy(&dp->hostlist_auto_fail_counters); + free(dp->name); } void dp_clear(struct desync_profile *dp) { diff --git a/nfq2/params.h b/nfq2/params.h index b8b261a..86a7b30 100644 --- a/nfq2/params.h +++ b/nfq2/params.h @@ -53,6 +53,7 @@ enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG, LOG_ struct desync_profile { unsigned int n; // number of the profile + char *name; // optional malloced name string bool filter_ipv4,filter_ipv6; struct port_filters_head pf_tcp,pf_udp; @@ -78,6 +79,7 @@ struct desync_profile struct func_list_head lua_desync; }; +#define PROFILE_NAME(dp) ((dp)->name ? (dp)->name : "noname") #define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude)) #define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))