gandc/zapret2
Template
1
0
Fork 0
mirror of https://github.com/bol-van/zapret2.git synced 2026-03-14 06:13:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gandc:v0.3
Branches Tags
gandc:master
gandc:v0.9.4.5 gandc:v0.9.4.4 gandc:v0.9.4.3 gandc:v0.9.4.2 gandc:v0.9.4.1 gandc:v0.9.3 gandc:v0.9.2 gandc:v0.9.1 gandc:v0.9.0.4 gandc:v0.8.6 gandc:v0.8.4 gandc:v0.8.3 gandc:v0.8.2 gandc:v0.8.1 gandc:v0.8 gandc:v0.7.6 gandc:v0.7.5 gandc:v0.7.4 gandc:v0.7.2 gandc:v0.7.1 gandc:v0.7 gandc:v0.6.1 gandc:v0.5.1 gandc:v0.5 gandc:v0.4 gandc:v0.3 gandc:v0.2 gandc:v0.1.4 gandc:v0.1.2 gandc:v0.1.1
...
compare: gandc:v0.7
Branches Tags
gandc:master
gandc:v0.9.4.5 gandc:v0.9.4.4 gandc:v0.9.4.3 gandc:v0.9.4.2 gandc:v0.9.4.1 gandc:v0.9.3 gandc:v0.9.2 gandc:v0.9.1 gandc:v0.9.0.4 gandc:v0.8.6 gandc:v0.8.4 gandc:v0.8.3 gandc:v0.8.2 gandc:v0.8.1 gandc:v0.8 gandc:v0.7.6 gandc:v0.7.5 gandc:v0.7.4 gandc:v0.7.2 gandc:v0.7.1 gandc:v0.7 gandc:v0.6.1 gandc:v0.5.1 gandc:v0.5 gandc:v0.4 gandc:v0.3 gandc:v0.2 gandc:v0.1.4 gandc:v0.1.2 gandc:v0.1.1

84 Commits
v0.3 ... v0.7

Author SHA1 Message Date
bol-van
7708021587 nfqws2: rewrite autohostlist udp failure detector logic 2025-12-11 15:19:31 +03:00
bol-van
912aadf6ca zapret-auto: override host autostate key 2025-12-11 13:41:04 +03:00
bol-van
420cc0c3ef nfqws2: fix crash 2025-12-11 13:38:10 +03:00
bol-van
6ce5829d06 zapret-auto: override host autostate key 2025-12-11 12:57:32 +03:00
bol-van
a6d43af931 nfqws2: autohostlist do not react to rseq 0 2025-12-11 01:03:25 +03:00
bol-van
ca9898959e nfqws2: remove commented test code 2025-12-11 00:23:20 +03:00
bol-van
8cd2904614 nfqws2: push desync.track.pos.dt as float with nsec accuracy 2025-12-11 00:21:22 +03:00
bol-van
0de1ab1b1b init.d: AUTOHOSTLIST_INCOMING_MAXSEQ 2025-12-10 23:21:30 +03:00
bol-van
d1690aadcf nfqws2: autohostlist incoming failure triggers change 2025-12-10 23:11:28 +03:00
bol-van
2dd8533fb5 nfqws2,zapret-lib.lua,zapret-auto.lua: restructure conntrack record 2025-12-10 19:36:31 +03:00
bol-van
33ac18ea6b zapret-lib,zapret-auto: do not use desync copy to not lose VERDICT_MODIFY changes 2025-12-10 13:43:39 +03:00
bol-van
5c05c10f83 zapret-lib: return 0 if #val refers to non-string and non-table type 2025-12-10 10:49:46 +03:00
bol-van
7de0995d4a nfqws2,zapret-lib: fix non-working # and % arg subst under orchestrator 2025-12-10 10:28:48 +03:00
bol-van
a1c64e4dea update doc 2025-12-09 18:08:36 +03:00
bol-van
92b66b1535 update doc 2025-12-09 18:08:01 +03:00
bol-van
9bf4fb11e7 update doc 2025-12-09 18:05:08 +03:00
bol-van
7deeb04207 start writing manual.md 2025-12-09 18:00:24 +03:00
bol-van
776155a326 blockcheck2: fix unterminated string 2025-12-09 14:17:07 +03:00
bol-van
30423596ca zapret-lib: detect_payload_str 2025-12-09 12:18:59 +03:00
bol-van
27ef67adf9 zapret-auto: cond_payload_str 2025-12-09 11:48:23 +03:00
bol-van
bb604f111c zapret-auto: add comments 2025-12-09 11:22:09 +03:00
bol-van
e5174bc9ad zapret-auto: condition and stopif orchestrators 2025-12-09 10:50:54 +03:00
bol-van
6c29bf6702 zapret-lib,zapret-auto: allow nested orchestration 2025-12-09 09:52:24 +03:00
bol-van
976033be37 nfqws2: do not increase upseq_prev on empty packets 2025-12-09 09:52:08 +03:00
bol-van
f9b2135688 zapret-auto: add comments 2025-12-08 22:45:42 +03:00
bol-van
844fa6ab47 zapret-auto: optimize detector code 2025-12-08 20:02:26 +03:00
bol-van
dc0fe70bd6 zapret-auto: udp_in/udp_out failure detection 2025-12-08 19:46:00 +03:00
bol-van
2752c26795 blockcheck2: FOOLINGS_UDP overridable 2025-12-08 18:37:18 +03:00
bol-van
1600b41135 init.d: support --hostlist-auto-retrans-threshold 2025-12-08 16:52:49 +03:00
bol-van
2017889207 nfqws2: change retransmission detection scheme 2025-12-08 16:46:04 +03:00
bol-van
146ab847df nfqws2: allow dupsid with partial tls 2025-12-08 11:31:46 +03:00
bol-van
cf9059ed22 update changes.txt 2025-12-08 10:57:04 +03:00
bol-van
c94264c79e nfqws2: more fixes to reasm overlap support 2025-12-08 10:55:32 +03:00
bol-van
04cb71150a nfqws2: improve reasm overlap support 2025-12-08 10:35:26 +03:00
bol-van
378ee514c4 nfqws2: reasm support negative overlaps without gaps and without going beyond the starting seq 2025-12-08 09:55:44 +03:00
bol-van
1a190fcf9e nfqws2: increase tls_mod sni max size 2025-12-07 21:30:07 +03:00
bol-van
0f8a788351 zapret-auto: optimize code 2025-12-07 20:05:43 +03:00
bol-van
4c00f11c15 zapret-auto: move crec record get 2025-12-07 20:01:29 +03:00
bol-van
0f8cfd7022 zapret-lib: remove duplicate function 2025-12-07 19:59:31 +03:00
bol-van
4563b6ddcb blockcheck2: syndata tests 2025-12-07 19:44:28 +03:00
bol-van
9ae6927a0e zapret-auto: remove duplicate seq assignment 2025-12-07 17:03:45 +03:00
bol-van
8540278c9b zapret-antidpi: use tls_mod_shim 2025-12-07 17:00:55 +03:00
bol-van
76b9ab5075 zapret-lib: improve random seed 2025-12-07 16:52:37 +03:00
bol-van
3a153035e8 zapret-lib,zapret-antidpi: support sni=%var in tls_mod 2025-12-07 15:08:56 +03:00
bol-van
2b5eb3cd2d blockcheck2: remove newline print if test function absent 2025-12-07 14:31:56 +03:00
bol-van
2c35e8949a blockcheck2: fix brokern http3 test 2025-12-07 14:01:54 +03:00
bol-van
7edd428508 zapret-auto, zapret-lib: deduplicate plan instance execution code 2025-12-07 11:07:46 +03:00
bol-van
7749fce7dc zapret-auto: separate failure detection logic 2025-12-07 10:51:52 +03:00
bol-van
ea6e1e0853 blockcheck2: change qnum to allow parallel run with blockcheck1 for different domains 2025-12-07 09:46:32 +03:00
bol-van
7d2f12cbad zapret-auto: remove unused code 2025-12-06 23:50:35 +03:00
bol-van
f91c069a8b nfqws2: fix wrong enum type 2025-12-06 23:25:19 +03:00
bol-van
6961c013c5 actions: build x86 binary with classic LUA 5.4 2025-12-06 23:13:19 +03:00
bol-van
e5736b5fdd fix multiple problems with lua_Integer 32 bit type in lua < 5.3 on 32-bit platforms 2025-12-06 22:43:45 +03:00
bol-van
efa675468d nfqws2: fix wrong payload/proto type 2025-12-06 20:53:42 +03:00
bol-van
1073f03802 update changes.txt 2025-12-06 20:27:26 +03:00
bol-van
9125cb0205 zapret-auto: circular.reqhost parameter 2025-12-06 20:25:04 +03:00
bol-van
9d5435f977 nfqws2: do not export instance_cutoff, export l7proto for conntrack-less case 2025-12-06 19:43:39 +03:00
bol-van
f17ab4c91e zapret-lib,zapret-auto: unify messages 2025-12-06 17:19:28 +03:00
bol-van
97aa261e14 winws: always catch http redirect 2025-12-06 16:18:18 +03:00
bol-van
813fece07a nfqws2,zapret-auto: circular orchestrator 2025-12-06 15:58:09 +03:00
bol-van
2a7b44b1d0 zapret-lib: port support in url dissector 2025-12-06 10:46:47 +03:00
bol-van
28e719d825 zapret-lib: url and nld dissectors 2025-12-06 10:39:19 +03:00
bol-van
18725f6442 zapret-lib: remove temp debug code 2025-12-06 10:01:19 +03:00
bol-van
20b20fbb90 zapret-tests: adapt to 32bit arithmetics 2025-12-06 10:00:19 +03:00
bol-van
967b53b628 update changes.txt 2025-12-06 09:59:08 +03:00
bol-van
9cebc5cc37 nfqws2: remove any arithmetics beyond 32 bit 2025-12-06 09:57:08 +03:00
bol-van
0dc29c9c35 zapret-lib: http_reply dissector 2025-12-05 22:51:56 +03:00
bol-van
fd1eac2ef1 zapret-lib: fix seq number substraction 2025-12-05 22:31:51 +03:00
bol-van
0c2abab6a9 nfqws2: uXadd luacalls 2025-12-05 22:31:27 +03:00
bol-van
efd8acb8de zapret-lib: fix multiple problems 2025-12-05 14:42:33 +03:00
bol-van
a147ebef61 update changes.txt 2025-12-05 11:28:58 +03:00
bol-van
7f4bdd5eb4 update changes.txt 2025-12-05 11:09:48 +03:00
bol-van
0588240d8d nfqws2: LUA_COMPAT_VER tracking 2025-12-05 11:07:14 +03:00
bol-van
b9e03ef71b nfqws2: --template <name> , --cookie 2025-12-05 10:23:33 +03:00
bol-van
9c0c7cfa8c init.d: remove stun_binding_req 2025-12-04 23:24:05 +03:00
bol-van
807ad5953b nfqws2: profile templates, remove stun_bindin_req detalisation 2025-12-04 23:22:27 +03:00
bol-van
ee031db3a1 blockcheck2: fix broken DNS cache 2025-12-04 14:57:00 +03:00
bol-van
93e4df72e5 zapret-lib: apply_arg_prefix, posdebug, argdebug 2025-12-03 16:08:12 +03:00
bol-van
e62d3919f4 nfqws2: proper conntrack position of replay pieces 2025-12-03 16:07:10 +03:00
bol-van
63414f8608 zapret-lib: typo 2025-12-02 21:55:09 +03:00
bol-van
18974e6c1f zapret-lib: separate execution plan replay function 2025-12-02 21:54:28 +03:00
bol-van
e61967ac2b nfqws2: profile names 2025-12-02 21:38:45 +03:00
bol-van
6010307667 nfqws2: post payload filter and range in exec plan, zapret-lib: duplicate range check logic 2025-12-02 20:48:03 +03:00
bol-van
04ceb589e0 nfqws2: desync orchestration luacalls 2025-12-02 17:49:23 +03:00
36 changed files with 2486 additions and 797 deletions
Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@@ -108,7 +108,7 @@ jobs:
export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
export STAGING_DIR=$RUNNER_TEMP
if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]]; then
if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]]; then
# use classic lua
wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
(

49
blockcheck2.d/standard/24-syndata.sh Normal file
View File

@@ -0,0 +1,49 @@
. "$TESTDIR/def.inc"
pktws_check_http()
{
# $1 - test function
# $2 - domain
local PAYLOAD="--payload http_req" split
for split in '' multisplit multidisorder; do
pktws_curl_test_update "$1" "$2" --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split}
pktws_curl_test_update "$1" "$2" --lua-desync=syndata:blob=fake_default_http $PAYLOAD ${split:+$PAYLOAD --lua-desync=$split}
done
}
pktws_check_https_tls()
{
# $1 - test function
# $2 - domain
# $3 - PRE args for nfqws2
local PAYLOAD="--payload tls_client_hello" ok=0 pre="$3" split
for split in '' multisplit multidisorder; do
pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split} && ok=1
pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=0x1603 ${split:+$PAYLOAD --lua-desync=$split} && ok=1
pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,rndsni ${split:+$PAYLOAD --lua-desync=$split} && ok=1
pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,sni=google.com ${split:+$PAYLOAD --lua-desync=$split} && ok=1
done
[ "$ok" = 1 ]
}
pktws_check_https_tls12()
{
# $1 - test function
# $2 - domain
pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
}
pktws_check_https_tls13()
{
# $1 - test function
# $2 - domain
pktws_check_https_tls "$1" "$2"
}

2
blockcheck2.d/standard/def.inc
View File

@@ -2,6 +2,6 @@ FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 t
FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
FOOLINGS_TCP="$FOOLINGS46_TCP"
[ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
FOOLINGS_UDP="badsum"
FOOLINGS_UDP="${FOOLINGS_UDP:-badsum}"
FAKE_REPEATS=${FAKE_REPEATS:-1}

53
blockcheck2.sh
View File

@@ -26,7 +26,7 @@ CURL=${CURL:-curl}
TEST_DEFAULT=${TEST_DEFAULT:-standard}
DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
QNUM=${QNUM:-59780}
QNUM=${QNUM:-59781}
SOCKS_PORT=${SOCKS_PORT:-1993}
WS_UID=${WS_UID:-1}
WS_GID=${WS_GID:-3003}
@@ -275,44 +275,45 @@ mdig_cache()
mdig_resolve()
{
# $1 - ip version 4/6
# $2 - hostname, possibly with uri : rutracker.org/xxx/xxxx
local hostvar cachevar countvar count ip n sdom
# $2 - var to receive result
# $3 - hostname, possibly with uri : rutracker.org/xxx/xxxx
local hostvar cachevar countvar count n sdom
split_by_separator "$2" / sdom
split_by_separator "$3" / sdom
mdig_vars "$1" "$sdom"
if [ -n "$count" ]; then
n=$(random 0 $(($count-1)))
eval ip=\$${cachevar}_$n
echo $ip
eval $2=\$${cachevar}_$n
return 0
else
mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$sdom"
mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$2" "$sdom"
fi
}
mdig_resolve_all()
{
# $1 - ip version 4/6
# $2 - hostname
# $2 - var to receive result
# $3 - hostname
local hostvar cachevar countvar count ip ips n sdom
local hostvar cachevar countvar count ip__ ips__ n sdom
split_by_separator "$2" / sdom
split_by_separator "$3" / sdom
mdig_vars "$1" "$sdom"
if [ -n "$count" ]; then
n=0
while [ "$n" -le $count ]; do
eval ip=\$${cachevar}_$n
if [ -n "$ips" ]; then
ips="$ips $ip"
eval ip__=\$${cachevar}_$n
if [ -n "$ips__" ]; then
ips__="$ips__ $ip__"
else
ips="$ip"
ips__="$ip__"
fi
n=$(($n + 1))
done
echo "$ips"
eval $2="\$ips__"
return 0
else
mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$sdom"
mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$2" "$sdom"
fi
}
@@ -640,7 +641,7 @@ curl_with_dig()
local sdom suri ip
split_by_separator "$dom" / sdom suri
ip=$(mdig_resolve $1 $sdom)
mdig_resolve $1 ip $sdom
shift ; shift ; shift
if [ -n "$ip" ]; then
curl_with_subst_ip "$sdom" "$port" "$ip" "$@"
@@ -965,7 +966,7 @@ check_domain_port_block()
echo
echo \* port block tests ipv$IPV $1:$2
if netcat_setup; then
ips=$(mdig_resolve_all $IPV $1)
mdig_resolve_all $IPV ips $1
if [ -n "$ips" ]; then
for ip in $ips; do
if netcat_test $ip $2; then
@@ -1198,8 +1199,8 @@ test_runner()
[ -f "$script" ] || continue
unset -f $FUNC
. "$script"
echo
existf $FUNC && {
echo
echo "* script : $TEST/$(basename "$script")"
$FUNC "$@"
}
@@ -1254,7 +1255,7 @@ check_dpi_ip_block()
echo "> testing $UNBLOCKED_DOM on it's original ip"
if curl_test $1 $UNBLOCKED_DOM; then
unblocked_ip=$(mdig_resolve $IPV $UNBLOCKED_DOM)
mdig_resolve $IPV unblocked_ip $UNBLOCKED_DOM
[ -n "$unblocked_ip" ] || {
echo $UNBLOCKED_DOM does not resolve. tests not possible.
return 1
@@ -1263,7 +1264,7 @@ check_dpi_ip_block()
echo "> testing $blocked_dom on $unblocked_ip ($UNBLOCKED_DOM)"
curl_test $1 $blocked_dom $unblocked_ip detail
blocked_ips=$(mdig_resolve_all $IPV $blocked_dom)
mdig_resolve_all $IPV blocked_ips $blocked_dom
for blocked_ip in $blocked_ips; do
echo "> testing $UNBLOCKED_DOM on $blocked_ip ($blocked_dom)"
curl_test $1 $UNBLOCKED_DOM $blocked_ip detail
@@ -1314,6 +1315,8 @@ check_domain_http_tcp()
# $3 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
# $4 - domain
local ips
# in case was interrupted before
pktws_ipt_unprepare_tcp $2
ws_kill
@@ -1325,7 +1328,8 @@ check_domain_http_tcp()
[ "$SKIP_PKTWS" = 1 ] || {
echo
echo preparing $PKTWSD redirection
pktws_ipt_prepare_tcp $2 "$(mdig_resolve_all $IPV $4)"
mdig_resolve_all $IPV ips $4
pktws_ipt_prepare_tcp $2 "$ips"
pktws_check_domain_http_bypass $1 $3 $4
@@ -1339,6 +1343,8 @@ check_domain_http_udp()
# $2 - port
# $3 - domain
local ips
# in case was interrupted before
pktws_ipt_unprepare_udp $2
ws_kill
@@ -1348,7 +1354,8 @@ check_domain_http_udp()
[ "$SKIP_PKTWS" = 1 ] || {
echo
echo preparing $PKTWSD redirection
pktws_ipt_prepare_udp $2 "$(mdig_resolve_all $IPV $3)"
mdig_resolve_all $IPV ips $3
pktws_ipt_prepare_udp $2 "$ips"
pktws_check_domain_http3_bypass $1 $3

12
common/list.sh
View File

@@ -25,7 +25,7 @@ filter_apply_hostlist_target()
{
# $1 - var name of nfqws params
local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7 parm8 parmNA
local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7 parm8 parm9 parm10 parmNA
eval v="\$$1"
if contains "$v" "$HOSTLIST_MARKER" || contains "$v" "$HOSTLIST_NOAUTO_MARKER"; then
[ "$MODE_FILTER" = hostlist -o "$MODE_FILTER" = autohostlist ] &&
@@ -40,10 +40,14 @@ filter_apply_hostlist_target()
parm5="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
parm6="${AUTOHOSTLIST_FAIL_TIME:+--hostlist-auto-fail-time=$AUTOHOSTLIST_FAIL_TIME}"
parm7="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
parm8="--hostlist=$HOSTLIST_AUTO"
parm8="${AUTOHOSTLIST_RETRANS_MAXSEQ:+--hostlist-auto-retrans-maxseq=$AUTOHOSTLIST_RETRANS_MAXSEQ}"
parm9="${AUTOHOSTLIST_INCOMING_MAXSEQ:+--hostlist-auto-incoming-maxseq=$AUTOHOSTLIST_INCOMING_MAXSEQ}"
parm10="${AUTOHOSTLIST_UDP_IN:+--hostlist-auto-udp-in=$AUTOHOSTLIST_UDP_IN}"
parm11="${AUTOHOSTLIST_UDP_OUT:+--hostlist-auto-udp-out=$AUTOHOSTLIST_UDP_OUT}"
parm12="--hostlist=$HOSTLIST_AUTO"
}
parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}"
parmNA="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm8:+ $parm8}"
parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}${parm8:+ $parm8}${parm9:+ $parm9}${parm10:+ $parm10}${parm11:+ $parm11}"
parmNA="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm10:+ $parm12}"
}
v="$(replace_str $HOSTLIST_NOAUTO_MARKER "$parmNA" "$v")"
v="$(replace_str $HOSTLIST_MARKER "$parm" "$v")"

4
config.default
View File

@@ -26,9 +26,13 @@ IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
AUTOHOSTLIST_INCOMING_MAXSEQ=4096
AUTOHOSTLIST_RETRANS_MAXSEQ=65536
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
AUTOHOSTLIST_UDP_IN=1
AUTOHOSTLIST_UDP_OUT=4
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

51
docs/changes.txt
View File

@@ -36,6 +36,57 @@ v0.2
* zapret-pcap
v0.3
* init.d launch scripts
* init.d: 40-webserver custom script
* install_easy
v0.4
* nfqws2: profile names and cookies
* nfqws2: profile templates
* nfqws2: remove stun_binding_req, replace to stun. no more message type details
* nfqws2: proper conntack position for replayed packets
* nfqws2: execution_plan, execution_plan_cancel
* blockcheck2: fix broken dns cache
* nfqws2: LUA_COMPAT_VER tracking
v0.5
* nfqws2: u8add,u16add,u24add,u32add luacalls
* nfqws2: abandon any arithmetics beyond 32bit (because lua 5.1 does not support 64 bit integers, store everything as double)
* nfqws2: fix issues with 32-bit lua_Integer in lua<5.3 on 32-bit platforms
* nfqws2: instance_cutoff luacall just warns and do nothing if ctx is nil
* actions: build nfqws2 x86 binary with LUA 5.4, not with luajit
* zapret-lib: http_reply, url and nld dissectors
* zapret-lib: instance_cutoff_shim
* zapret-auto: circular orchestrator
v0.5.1
* zapret-auto: separate failure detection logic
* blockcheck2: fix broken http3 test
v0.6
* zapret-lib,zapret-antidpi: tls_mod_shim supports sni=%var subst
* blockcheck2: syndata tests
* nfqws2: reasm support negative overlaps. gaps are not supported.
* nfqws2,zapret-auto: changed retransmission detection scheme.
* zapret-auto: udp_in/udp_out failure detection
v0.6.1
* zapret-lib, zapret-auto: condition and stopif orchestrators
* zapret-lib: detect_payload_str - sample lua payload detector
* blockcheck2: unterminated string fix
v0.7
* nfqws2, zapret-lib : fix non-working % and # arg substitution under orchestrator
* nfqws2, zapret-lib : structure conntrack in/out positions. pass in desync.track.pos.{client,server,direct,reverse} position tables
* nfqws2: autohostlist: trigger RST and http redirect failures only within specified relative sequence
* nfqws2: autohostlist: trigger http redirect failure if payload is http_req without connection proto check
* nfqws2: push desync.track.pos.dt as float with nsec accuracy
* zapret-auto: override host autostate key in automate_host_record
* nfqws2: rewrite udp autohostlist failure detector logic

11
docs/changes_compat.txt Normal file
View File

@@ -0,0 +1,11 @@
Here listed all api breaking changes.
When something changes capable of breaking things NFQWS2_COMPAT_VER increases.
v2
* removed "stun_binding_req" specialized payload. replaced with common "stun" - any stun packets, not only binding request.
every LUA relying on desync.l7payload should be revised.
nfqws2 --payload option and init.d custom scripts must be updated.
v3
* restructured desync.track. pass positions in desync.track.pos.{client,server,direct,reverse}
code relying on conntrack counters and sequence numbers must be rewritten

113
docs/manual.md Normal file
View File

@@ -0,0 +1,113 @@
# МАНУАЛ В ПРОЦЕССЕ НАПИСАНИЯ
# Введение
zapret2 является пакетным манипулятором, основная задача которого - совершение различных автономных атак на DPI в реальном времени
с целью преодоления ограничений (блокировок) ресурсов или сетевых протоколов.
Однако, этим возможности zapret2 не ограничиваются. Архитектура позволяет выполнять и другие виды пакетных манипуляций.
Например, двусторонняя (клиент+сервер) обфускация протоколов с целью их сокрытия от DPI. Возможны и иные применения.
# Структура проекта
Главный компонент zapret2 - программа nfqws2 (dvtws2 на BSD, winws2 на Windows), написанная на C, которая и является пакетным манипулятором.
Содержит функции по перехвату пакетов, базовой фильтрации, рапознавания основных протоколов и пейлоадов, поддержки хост и IP листов, автоматических хостлистов
с распознаванием блокировок, систему множественных профилей (стратегий), возможности по отсылке raw пакетов и другие сервисные функции.
Однако, там нет никаких возможностей собственно для воздействия на трафик. Это вынесено в код на языке LUA, вызываемый из nfqws2.
Поэтому следующая по важности часть проекта - LUA код. В базовый комплект входит библиотека функций-хелперов `zapret-lib.lua`,
библиотека программ автономных атак на DPI `zapret-antidpi.lua`, библиотека функций принятия динамических решений (оркестрации) `zapret-auto.lua`.
Дополнительно присутствует набор тестов C функций `zapret-tests.lua`, средство обфускации wireguard протокола `zapret-wgobfs.lua` и средство записи дампа пакетов в cap файлы `zapret-pcap.lua`.
Функции перенаправления трафика из ядра в Linux возложены на iptables и nftables, в FreeBSD - на ipfw, в OpenBSD - на pf, в Windows - встроены в сам процесс winws2 посредством драйвера windivert.
Схема перехвата трафика из ядра , nfqws2 и lua код составляют минимально рабочее ядро проекта. Все остальное является дополнительным, второстепенным и опциональным.
Из второстепенных компонент - скрипты запуска под Linux - `init.d`, `common`, `ipset`, `install_easy.sh`, `uninstall_easy.sh` и средство автоматизации тестирования стратегий `blockcheck2`.
Цель скриптов запуска - согласовать процесс поднятия таблиц и запуск инстансов nfqws2, учесть особенности интеграции в различные дистрибутивы (openwrt, systemd, openrc).
Дополнительная функция - обеспечить поддержку и согласованное обновление различных листов и загрузку IP листов в пространство ядра - ipset.
Все это можно сделать при желании и собственными средствами, если так удобнее или функционал скриптов запуска не подходит.
Скрипты запуска выносят все настройки в файл config, лежащий в корне проекта. Этот конфиг относится только к ним, nfqws2 ничего о нем не знает.
Для обработки листов предусмотрены 2 программы, написанные на C. mdig - многопоточный ресолвер хостлистов неограниченного обьема.
ip2net - программа для группировки отдельных IP адресов в подсети с целью сокращения их обьема.
Эти программы испльзуются в скриптах запуска и в blockcheck2.
Скрипты запуска и инсталятор поддерживает установку на любые классические дистрибутивы Linux с systemd или openrc , из прошивок - на openwrt.
Если система не удовлетворяет указанным требованиям - возможна самостоятельная "доприкрутка" к системе.
MacOS не поддерживается по причине отсутствия подходящего средства перехвата и управления пакетами. Стандартное для BSD средство ipdivert было убрано из ядра производителем.
# Схема обработки трафика
Сети работают с IP пакетами. Поэтому единицей обработки являются именно они. Приемом и отправкой пакетов занимается сетевая подсистема в ядре ОС.
nfqws2 работает не в ядре (kernel mode), а является процессом пространства пользователя (user mode). Поэтому первая часть процесса обработки состоит
в передаче пакетов из ядра ОС в процесс nfqws2. Все 4 средства перехвата обладают некоторыми возможностями фильтрации пакетов. Максимальные возможности - в Linux.
Чем больше на этом этапе будет отсечено ненужного трафика, тем меньше будет нагрузка на процессор, поскольку передача пакетов из ядра в user mode и обратно сопряжена со значительными накладными расходами.
Пакет пришел в nfqws2. Первое, что он делает, это разбирает его по уровням OSI модели - выделяет ip , ipv6, tcp, udp заголовки и поле данных. Это называется диссекцией.
Результатом диссекции является диссект - представление пакета в виде структур, которые можно адресовать по полям.
Далее задействуется встроенная в nfqws2 подсистема conntrack - система отслеживания потоков поверх отдельно взятых пакетов.
Ищется уже имеющаяся запись о соединении на основании данных L3/L4 пакета. Если ее нет - создается. Старые записи, по которым давно нет активности, удаляются.
conntrack отслеживает логическое направление пакетов в потоке (входящее/исходящее), ведет подсчет количество прошедших пакетов и байт в обе стороны,
следит за sequence numbers для tcp. Он же используется в случае необходимости для сборки сообщений, передаваемых несколькими пакетами.
Сигнатурно определяется тип пейлоада - содержимого отдельно взятого пакета или группы пакетов. На основании типа пейлоада определяется тип протокола
всего потока, который сохраняется за потоком до конца его существования. В рамках одного соединения могут проходить разные типы пейлоадов.
Например, протокол потока xmpp обычно несет несколько видов специфических для xmpp сообщений и сообщения, связанные с tls.
Тип протокола потока xmpp остается, но последующие пакеты получают различные типы пейлоада - как известные, так и неизвестные. Неизвестные пейлоады определяются как тип "unknown".
Если для конкретного пейлоада и типа протокола потока выясняется необходимость реконструкции сообщения из нескольких пакетов, nfqws2 начинает их накапливать в связи с записью в conntrack
и запрещает их немедленную отправку. После приема всех пакетов сообщения происходит реконструкция и при необходимости дешифровка составного пейлоада.
Дальнейшие решения принимаются уже на базе полностью собранного пейлоада - reasm или результата сборки и дешифровки - decrypt.
Когда необходимая информация о пейлоаде получена, наступает очередь системы классификации по профилям.
Профили содержат систему фильтров и команды действия внутри профиля.
Профили фильтруются по L3 - версия IP протокола, ipset-ы - списки IP адресов, L4 - порты tcp или udp, L6/L7 - тип протокола потока, списки доменов (хостлисты).
Профили сканируются строго в порядке от первого к последнему. При первом совпадении условий фильтра профиля выбирается этот профиль, а сканирование прекращается.
Если ни одно из условий не выполнено, выбирается профиль по умолчанию, в котором нет никаких действий.
Все дальнейшие действия выполняются уже в рамках выбранного профиля. Выбранный профиль кэшируется в записи conntrack, поэтому для каждого пакета поиск заново не выполняется.
Повторный поиск выполняется в случае изменения исходных данных - при обнаружении L7 протокола и при обнаружении имени хоста. В последних случаях производится повторный поиск
и при необходимости переключение профиля. Таких переключений может быть за соединение до двух, поскольку есть лишь 2 изменяемых параметра.
Профиль выбран. Из чего состоит его содержание, отвечающее за действия ?
За действия отвечают LUA функции. В профиле их может быть произвольное количество.
Каждый вызов LUA функции из профиля называется инстансом. Функция может быть одна, вызовов несколько - с разными параметрами.
Поэтому и применяется понятие инстанса - экземпляра вызываемой функции, который идентифицируется номером профиля и порядковым номером вызова внутри профиля.
Инстансы вызываются через параметры `--lua-desync`. Каждый инстанс получает набор произвольных параметров, задаваемых в `--lua-desync`.
Порядок вызовов имеет принципиальное значение для логики стратегии и выполняется строго в порядке задания параметров `--lua-desync`.
Присутствуют и внутипрофильные фильтры. Их 3 типа - фильтр `--payload` - список принимаемых инстансом пейлоадов, и 2 диапазонных фильтра `--in-range` и `--out-range`,
позволяющих задать диапазон позиций внутри потока, который интересен для инстанса. Внутрипрофильные фильтры после их определения действуют на все последующие инстансы
до их переопределения. Главный смысл наличия внутрипрофильных фильтров - сократить число относительно медленных вызовов LUA , принимая максимум решений на стороне C кода.
Пакет пришел в LUA инстанс. Функция имеет 2 параметра - ctx и desync. ctx - это контекст для связи с некоторыми функциями на стороне C кода.
desync - таблица, содержащая множество параметров обрабатываемого пакета. Прежде всего это диссект - подтаблица `dis`.
Информация из записи conntrack - подтаблица `track`. Еще целый ряд параметров, который можно увидеть, выполнив `var_debug(desync)` или просто вызвав готовый инстанс `pktdebug`.
Если идет перепроигрывание задержанных пакетов (replay), LUA инстанс получает информацию о номере части, количестве частей исходного сообщения, позиции текущей части,
reasm или decrypt при наличии.
LUA код может использовать глобальное пространство переменных для хранения данных, не относящихся к конкретному обрабатываемому пакету. Ему доступна таблица `desync.track.lua_state`,
в которой он может хранить любую информацию, связанную с записью conntrack. При каждом новом пакете потока в LUA выдается одна и та же таблица.
Таблицу desync можно использовать для генерации и хранения временных данных, актуальных в цепочке обработки текущего пакета.
Следующие LUA инстансы получают ту же таблицу desync и тем самым могут принимать данные от предыдущих инстансов.
LUA инстанс может создавать копии текущего диссекта, вносить в них изменения, генерировать собственные диссекты, отправлять их через вызовы C кода.
Итогом работы каждого инстанса является вердикт - VERDICT_PASS - не делать ничего с текущим диссектом, VERDICT_MODIFY - в конце всей цепочки отослать модифицированное содержимое диссекта,
VERDICT_DROP - дропнуть текущий диссект. Вердикты всех инстансов аггрегируются - MODIFY замещает PASS, а DROP замещает и PASS, и MODIFY.
LUA инстанс может сам себя отключить от получения дальнейших пакетов потока по направлению in/out - это назвается instance cutoff.
Может отключить направление in/out текущего потока от всей LUA обработки - lua cutoff.
Может запросить отмену всей дальнейшей цепочки вызовов LUA инстансов по текущему диссекту. Инстанс, принимающий такое решение, берет на себя функцию координации дальнейших действий.
Такой инстанс называется оркестратором. Он получает от C кода план дальнейшего выполнения со всеми фильтрами профиля и параметрами вызова всех оставшихся инстансов
и сам принимает решения когда и при каких условиях их вызывать или не вызывать, менять их параметры. Так реализуются динамические сценарии без модификации основных составлящих кода стратегии.
Например, определение блокировки ресурса и смена стратегии, если предыдущая не сработала.
Если все инстансы текущего профиля вошли в состояние cutoff по текущему потоку, либо текущая позиция потока находится за верхней границей range фильтров, значит по этому потоку больше не будет LUA
вызовов. C код помечает такие потоки специальным признаком "lua cutoff", который проверяется максимально быстро без вызовов кода LUA. Тем самым экономятся ресурсы процессора.
После выполнения всей цепочки инстансов профиля C код получает итоговый вердикт - что делать с текущим диссектом. Отправить как есть, отправить модифицированный вариант или дропнуть.
В конце nfqws2 переходит к ожиданию следующего пакета, и цикл повторяется вновь.

4
docs/readme.md
View File

@@ -1,5 +1,3 @@
# zapret2 v0.2
## Зачем это нужно
Автономное средство противодействия DPI, которое не требует подключения каких-либо сторонних серверов. Может помочь
@@ -361,7 +359,7 @@ start "zapret: http,https,quic" /min "%~dp0winws2.exe" ^
--new ^
--filter-l7=wireguard,stun,discord ^
--out-range=-d10 ^
--payload=wireguard_initiation,wireguard_cookie,stun_binding_req,discord_ip_discovery ^
--payload=wireguard_initiation,wireguard_cookie,stun,discord_ip_discovery ^
--lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2
```

2
init.d/custom.d.examples.linux/50-stun4all
View File

@@ -2,7 +2,7 @@
# NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)
# can override in config :
NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun_binding_req --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
alloc_dnum DNUM_STUN4ALL
alloc_qnum QNUM_STUN4ALL

2
init.d/openwrt/zapret2
View File

@@ -41,7 +41,7 @@ PIDDIR=/var/run
USEROPT="--user=$WS_USER"
NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"
run_daemon()

2
init.d/sysv/functions
View File

@@ -72,7 +72,7 @@ DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}
QNUM=${QNUM:-300}
NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"

56
lua/zapret-antidpi.lua
View File

@@ -113,7 +113,7 @@ end
-- standard args : direction
function http_domcase(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -139,7 +139,7 @@ end
-- arg : spell=<str> . spelling of the "Host" header. must be exactly 4 chars long
function http_hostcase(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -164,7 +164,7 @@ end
-- standard args : direction
function http_methodeol(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -221,10 +221,10 @@ function synack_split(ctx, desync)
error("synack_split: bad mode '"..mode.."'")
end
else
instance_cutoff(ctx) -- mission complete
instance_cutoff_shim(ctx, desync) -- mission complete
end
else
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
end
end
@@ -238,10 +238,10 @@ function synack(ctx, desync)
DLOG("synack: sending")
rawsend_dissect_ipfrag(dis, desync_opts(desync))
else
instance_cutoff(ctx) -- mission complete
instance_cutoff_shim(ctx, desync) -- mission complete
end
else
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
end
end
@@ -256,10 +256,10 @@ function wsize(ctx, desync)
return VERDICT_MODIFY
end
else
instance_cutoff(ctx) -- mission complete
instance_cutoff_shim(ctx, desync) -- mission complete
end
else
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
end
end
@@ -270,7 +270,7 @@ end
-- arg : forced_cutoff=<list> - comma separated list of payloads that trigger forced wssize cutoff. by default - any non-empty payload
function wssize(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
local verdict = VERDICT_PASS
@@ -281,7 +281,7 @@ function wssize(ctx, desync)
end
if #desync.dis.payload>0 and (not desync.arg.forced_cutoff or in_list(desync.arg.forced_cutoff, desync.l7payload)) then
DLOG("wssize: forced cutoff")
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
end
end
return verdict
@@ -290,7 +290,7 @@ end
-- nfqws1 : "--dpi-desync=syndata"
-- standard args : fooling, rawsend, reconstruct, ipfrag
-- arg : blob=<blob> - fake payload. must fit to single packet. no segmentation possible. default - 16 zero bytes.
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>. sni=%var is supported
function syndata(ctx, desync)
if desync.dis.tcp then
if bitand(desync.dis.tcp.th_flags, TH_SYN + TH_ACK)==TH_SYN then
@@ -298,17 +298,17 @@ function syndata(ctx, desync)
dis.payload = blob(desync, desync.arg.blob, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
apply_fooling(desync, dis)
if desync.arg.tls_mod then
dis.payload = tls_mod(dis.payload, desync.arg.tls_mod, nil)
dis.payload = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
end
if b_debug then DLOG("syndata: "..hexdump_dlog(dis.payload)) end
if rawsend_dissect_ipfrag(dis, desync_opts(desync)) then
return VERDICT_DROP
end
else
instance_cutoff(ctx) -- mission complete
instance_cutoff_shim(ctx, desync) -- mission complete
end
else
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
end
end
@@ -317,7 +317,7 @@ end
-- arg : rstack - send RST,ACK instead of RST
function rst(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -340,7 +340,7 @@ end
-- nfqws1 : "--dpi-desync=fake"
-- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
-- arg : blob=<blob> - fake payload
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap . sni=%var is supported
function fake(ctx, desync)
direction_cutoff_opposite(ctx, desync)
-- by default process only outgoing known payloads
@@ -351,7 +351,7 @@ function fake(ctx, desync)
end
local fake_payload = blob(desync, desync.arg.blob)
if desync.reasm_data and desync.arg.tls_mod then
fake_payload = tls_mod(fake_payload, desync.arg.tls_mod, desync.reasm_data)
fake_payload = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
end
-- check debug to save CPU
if b_debug then DLOG("fake: "..hexdump_dlog(fake_payload)) end
@@ -371,7 +371,7 @@ end
-- arg : nodrop - do not drop current dissect
function multisplit(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -421,11 +421,11 @@ end
-- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
-- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
-- arg : seqovl_pattern=<blob> . override pattern
-- arg : blob=<blob> - use this data instead of desync.dis.payload
-- arg : blob=<blob> - use this data instead of reasm_data
-- arg : nodrop - do not drop current dissect
function multidisorder(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -491,7 +491,7 @@ end
-- arg : nodrop - do not drop current dissect
function hostfakesplit(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -600,11 +600,11 @@ end
-- arg : pattern=<blob> . fill fake parts with this pattern
-- arg : seqovl=N . decrease seq number of the first segment by N and fill N bytes with pattern (default - all zero)
-- arg : seqovl_pattern=<blob> . override seqovl pattern
-- arg : blob=<blob> - use this data instead of desync.dis.payload
-- arg : blob=<blob> - use this data instead of reasm_data
-- arg : nodrop - do not drop current dissect
function fakedsplit(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -697,7 +697,7 @@ end
-- arg : nodrop - do not drop current dissect
function fakeddisorder(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -797,7 +797,7 @@ end
-- arg : blob=<blob> - use this data instead of desync.dis.payload
function tcpseg(ctx, desync)
if not desync.dis.tcp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -841,7 +841,7 @@ end
-- arg : pattern_offset=N . offset in the pattern. 0 by default
function udplen(ctx, desync)
if not desync.dis.udp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)
@@ -877,7 +877,7 @@ end
-- arg : dn=N - message starts from "dN". 2 by default
function dht_dn(ctx, desync)
if not desync.dis.udp then
instance_cutoff(ctx)
instance_cutoff_shim(ctx, desync)
return
end
direction_cutoff_opposite(ctx, desync)

323
lua/zapret-auto.lua Normal file
View File

@@ -0,0 +1,323 @@
-- standard automation/orchestration code
-- this is related to making dynamic strategy decisions without rewriting or altering strategy function code
-- orchestrators can decide which instances to call or not to call or pass them dynamic arguments
-- failure detectors test potential block conditions for orchestrators
-- arg: reqhost - require hostname, do not work with ip
-- arg: key - a string - table name inside autostate table. to allow multiple orchestrator instances to use single host storage
function automate_host_record(desync)
local hostkey, askey
if desync.arg.reqhost then
hostkey = desync.track and desync.track.hostname
else
hostkey = host_or_ip(desync)
end
if not hostkey then
DLOG("automate: host record key unavailable")
return nil
end
askey = (desync.arg.key and #desync.arg.key>0) and desync.arg.key or desync.func_instance
DLOG("automate: host record key 'autostate."..askey.."."..hostkey.."'")
if not autostate then
autostate = {}
end
if not autostate[askey] then
autostate[askey] = {}
end
if not autostate[askey][hostkey] then
autostate[askey][hostkey] = {}
end
return autostate[askey][hostkey]
end
function automate_conn_record(desync)
if not desync.track.lua_state.automate then
desync.track.lua_state.automate = {}
end
return desync.track.lua_state.automate
end
-- counts failure, optionally (if crec is given) prevents dup failure counts in a single connection
-- if 'maxtime' between failures is exceeded then failure count is reset
-- return true if threshold ('fails') is reached
-- hres is host record. host or ip bound table
-- cres is connection record. connection bound table
function automate_failure_counter(hrec, crec, fails, maxtime)
if crec and crec.failure then
DLOG("automate: duplicate failure in the same connection. not counted")
else
if crec then crec.failure = true end
local tnow=os.time()
if not hrec.failure_time_last then
hrec.failure_time_last = tnow
end
if not hrec.failure_counter then
hrec.failure_counter = 0
elseif tnow>(hrec.failure_time_last + maxtime) then
DLOG("automate: failure counter reset because last failure was "..(tnow - hrec.failure_time_last).." seconds ago")
hrec.failure_counter = 0
end
hrec.failure_counter = hrec.failure_counter + 1
hrec.failure_time_last = tnow
if b_debug then DLOG("automate: failure counter "..hrec.failure_counter..(fails and ('/'..fails) or '')) end
if fails and hrec.failure_counter>=fails then
hrec.failure_counter = nil -- reset counter
return true
end
end
return false
end
-- location is url compatible with Location: header
-- hostname is original hostname
function is_dpi_redirect(hostname, location)
local ds = dissect_url(location)
if ds.domain then
local sld1 = dissect_nld(hostname,2)
local sld2 = dissect_nld(ds.domain,2)
return sld2 and sld1~=sld2
end
return false
end
-- standard failure detector
-- works with tcp and udp
-- detected failures:
-- incoming RST
-- incoming http redirection
-- outgoing retransmissions
-- udp too much out with too few in
-- arg: seq=<rseq> - tcp: if packet is beyond this relative sequence number treat this connection as successful. default is 64K
-- arg: retrans=N - tcp: retrans count threshold. default is 3
-- arg: rst=<rseq> - tcp: maximum relative sequence number to treat incoming RST as DPI reset. default is 1
-- arg: no_http_redirect - tcp: disable http_reply dpi redirect trigger
-- arg: udp_out - udp: >= outgoing udp packets. default is 4
-- arg: udp_in - udp: with <= incoming udp packets. default is 1
function standard_failure_detector(desync, crec, arg)
if crec.nocheck then return false end
local seq_rst = tonumber(arg.rst) or 1
local retrans = tonumber(arg.retrans) or 3
local maxseq = tonumber(arg.seq) or 0x10000
local udp_in = tonumber(arg.udp_in) or 1
local udp_out = tonumber(arg.udp_out) or 4
local trigger = false
if desync.dis.tcp then
local seq = pos_get(desync,'s')
if maxseq and seq>maxseq then
DLOG("standard_failure_detector: s"..seq.." is beyond s"..maxseq..". treating connection as successful")
crec.nocheck = true
return false
end
if desync.outgoing then
if #desync.dis.payload>0 and retrans and (crec.retrans or 0)<retrans then
if is_retransmission(desync) then
crec.retrans = crec.retrans and (crec.retrans+1) or 1
DLOG("standard_failure_detector: retransmission "..crec.retrans.."/"..retrans)
trigger = crec.retrans>=retrans
end
end
else
if seq_rst and bitand(desync.dis.tcp.th_flags, TH_RST)~=0 then
trigger = seq<=seq_rst
if b_debug then
if trigger then
DLOG("standard_failure_detector: incoming RST s"..seq.." in range s"..seq_rst)
else
DLOG("standard_failure_detector: not counting incoming RST s"..seq.." beyond s"..seq_rst)
end
end
elseif not arg.no_http_redirect and desync.l7payload=="http_reply" and desync.track.hostname then
local hdis = http_dissect_reply(desync.dis.payload)
if hdis and (hdis.code==302 or hdis.code==307) and hdis.headers.location and hdis.headers.location then
trigger = is_dpi_redirect(desync.track.hostname, hdis.headers.location.value)
if b_debug then
if trigger then
DLOG("standard_failure_detector: http redirect "..hdis.code.." to '"..hdis.headers.location.value.."'. looks like DPI redirect.")
else
DLOG("standard_failure_detector: http redirect "..hdis.code.." to '"..hdis.headers.location.value.."'. NOT a DPI redirect.")
end
end
end
end
end
elseif desync.dis.udp then
if desync.outgoing then
if udp_out then
local udp_in = udp_in or 0
trigger = desync.track.pos.direct.pcounter>=udp_out and desync.track.pos.reverse.pcounter<=udp_in
if trigger then
crec.nocheck = true
if b_debug then
DLOG("standard_failure_detector: udp_out "..desync.track.pos.direct.pcounter..">="..udp_out.." udp_in "..desync.track.pos.reverse.pcounter.."<="..udp_in)
end
end
end
end
end
return trigger
end
-- circularily change strategy numbers when failure count reaches threshold ('fails')
-- works with tcp only
-- this orchestrator requires redirection of incoming traffic to cache RST and http replies !
-- each orchestrated instance must have strategy=N arg, where N starts from 1 and increment without gaps
-- if 'final' arg is present in an orchestrated instance it stops rotation
-- arg: fails=N - failture count threshold. default is 3
-- arg: time=<sec> - if last failure happened earlier than `maxtime` seconds ago - reset failure counter. default is 60.
-- arg: reqhost - pass with no tampering if hostname is unavailable
-- arg: detector - failure detector function name.
-- args for failure detector - see standard_failure_detector or your own detector
-- test case: nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s1 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
function circular(ctx, desync)
local function count_strategies(hrec)
if not hrec.ctstrategy then
local uniq={}
local n=0
for i,instance in pairs(desync.plan) do
if instance.arg.strategy then
n = tonumber(instance.arg.strategy)
if not n or n<1 then
error("circular: strategy number '"..tostring(instance.arg.strategy).."' is invalid")
end
uniq[tonumber(instance.arg.strategy)] = true
if instance.arg.final then
hrec.final = n
end
end
end
n=0
for i,v in pairs(uniq) do
n=n+1
end
if n~=#uniq then
error("circular: strategies numbers must start from 1 and increment. gaps are not allowed.")
end
hrec.ctstrategy = n
end
end
-- take over execution. prevent further instance execution in case of error
orchestrate(ctx, desync)
if not desync.track then
DLOG_ERR("circular: conntrack is missing but required")
return
end
local hrec = automate_host_record(desync)
if not hrec then
DLOG("circular: passing with no tampering")
return
end
count_strategies(hrec)
if hrec.ctstrategy==0 then
error("circular: add strategy=N tag argument to each following instance ! N must start from 1 and increment")
end
if not hrec.nstrategy then
DLOG("circular: start from strategy 1")
hrec.nstrategy = 1
end
local verdict = VERDICT_PASS
if hrec.final~=hrec.nstrategy then
local crec = automate_conn_record(desync)
local fails = tonumber(desync.arg.fails) or 3
local maxtime = tonumber(desync.arg.time) or 60
local failure_detector
if desync.arg.detector then
if type(_G[desync.arg.detector])~="function" then
error("circular: invalid failure detector function '"..desync.arg.detector.."'")
end
failure_detector = _G[desync.arg.detector]
else
failure_detector = standard_failure_detector
end
if failure_detector(desync,crec,desync.arg) then
-- failure happened. count failures.
if automate_failure_counter(hrec, crec, fails, maxtime) then
-- counter reaches threshold. circular strategy change
hrec.nstrategy = (hrec.nstrategy % hrec.ctstrategy) + 1
DLOG("circular: rotate strategy to "..hrec.nstrategy)
if hrec.nstrategy == hrec.final then
DLOG("circular: final strategy "..hrec.final.." reached. will rotate no more.")
end
end
end
end
DLOG("circular: current strategy "..hrec.nstrategy)
while true do
local instance = plan_instance_pop(desync)
if not instance then break end
if instance.arg.strategy and tonumber(instance.arg.strategy)==hrec.nstrategy then
verdict = plan_instance_execute(desync, verdict, instance)
end
end
return verdict
end
-- test iff functions
function cond_true(desync)
return true
end
function cond_false(desync)
return false
end
-- arg: percent - of true . 50 by default
function cond_random(desync)
return math.random(0,99)<(tonumber(desync.arg.percent) or 50)
end
-- this iif function detects packets having 'arg.pattern' string in their payload
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
-- test case (true) : echo aaz1234zzz | ncat -4u 1.1.1.1 443
-- test case (false) : echo aaze124zzz | ncat -4u 1.1.1.1 443
function cond_payload_str(desync)
if not desync.arg.pattern then
error("cond_payload_str: missing 'pattern'")
end
return string.find(desync.dis.payload,desync.arg.pattern,1,true)
end
-- check iff function available. error if not
function require_iff(desync, name)
if not desync.arg.iff then
error(name..": missing 'iff' function")
end
if type(_G[desync.arg.iff])~="function" then
error(name..": invalid 'iff' function '"..desync.arg.iff.."'")
end
end
-- execute further desync instances only if user-provided 'iff' function returns true
-- for example, this can be used by custom protocol detectors
-- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
-- arg: neg - invert condition function result
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
function condition(ctx, desync)
require_iff(desync, "condition")
orchestrate(ctx, desync)
if logical_xor(_G[desync.arg.iff](desync), desync.arg.neg) then
DLOG("condition: true")
return replay_execution_plan(desync)
else
DLOG("condition: false")
plan_clear(desync)
end
end
-- clear execution plan if user provided 'iff' functions returns true
-- can be used with other orchestrators to stop execution conditionally
-- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
-- arg: neg - invert condition function result
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
function stopif(ctx, desync)
require_iff(desync, "stopif")
orchestrate(ctx, desync)
if logical_xor(_G[desync.arg.iff](desync), desync.arg.neg) then
DLOG("stopif: true")
plan_clear(desync)
else
-- do not do anything. allow other orchestrator to finish the plan
DLOG("stopif: false")
end
end

394
lua/zapret-lib.lua
View File

@@ -1,8 +1,8 @@
HEXDUMP_DLOG_MAX = HEXDUMP_DLOG_MAX or 32
NOT3=bitnot(3)
NOT7=bitnot(7)
math.randomseed(os.time())
-- xor pid,tid,sec,nsec
math.randomseed(bitxor(getpid(),gettid(),clock_gettime()))
-- basic desync function
-- execute given lua code. "desync" is temporary set as global var to be accessible to the code
@@ -35,8 +35,271 @@ function pktdebug(ctx, desync)
DLOG("desync:")
var_debug(desync)
end
-- basic desync function
-- prints function args
function argdebug(ctx, desync)
var_debug(desync.arg)
end
-- basic desync function
-- prints conntrack positions to DLOG
function posdebug(ctx, desync)
if not desync.track then
DLOG("posdebug: no track")
return
end
local s="posdebug: "..(desync.outgoing and "out" or "in").." time +"..desync.track.pos.dt.."s direct"
for i,pos in pairs({'n','d','b','s','p'}) do
s=s.." "..pos..pos_get(desync, pos, false)
end
s=s.." reverse"
for i,pos in pairs({'n','d','b','s','p'}) do
s=s.." "..pos..pos_get(desync, pos, true)
end
s=s.." payload "..#desync.dis.payload
if desync.reasm_data then
s=s.." reasm "..#desync.reasm_data
end
if desync.decrypt_data then
s=s.." decrypt "..#desync.decrypt_data
end
if desync.replay_piece_count then
s=s.." replay "..desync.replay_piece.."/"..desync.replay_piece_count
end
DLOG(s)
end
-- basic desync function
-- set l7payload to 'arg.payload' if reasm.data or desync.dis.payload contains 'arg.pattern' substring
-- NOTE : this does not set payload on C code side !
-- NOTE : C code will not see payload change. --payload args take only payloads known to C code and cause error if unknown.
-- arg: pattern - substring for search inside reasm_data or desync.dis.payload
-- arg: payload - set desync.l7payload to this if detected
-- arg: undetected - set desync.l7payload to this if not detected
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-antidpi.lua --lua-init=@zapret-auto.lua --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
function detect_payload_str(ctx, desync)
if not desync.arg.pattern then
error("detect_payload_str: missing 'pattern'")
end
local data = desync.reasm_data or desync.dis.payload
local b = string.find(data,desync.arg.pattern,1,true)
if b then
DLOG("detect_payload_str: detected '"..desync.arg.payload.."'")
if desync.arg.payload then desync.l7payload = desync.arg.payload end
else
DLOG("detect_payload_str: not detected '"..desync.arg.payload.."'")
if desync.arg.undetected then desync.l7payload = desync.arg.undetected end
end
end
-- this shim is needed then function is orchestrated. ctx services not available
-- have to emulate cutoff in LUA using connection persistent table track.lua_state
function instance_cutoff_shim(ctx, desync, dir)
if ctx then
instance_cutoff(ctx, dir)
elseif not desync.track then
DLOG("instance_cutoff_shim: cannot cutoff '"..desync.func_instance.."' because conntrack is absent")
else
if not desync.track.lua_state.cutoff_shim then
desync.track.lua_state.cutoff_shim = {}
end
if not desync.track.lua_state.cutoff_shim[desync.func_instance] then
desync.track.lua_state.cutoff_shim[desync.func_instance] = {}
end
if type(dir)=="nil" then
-- cutoff both directions by default
desync.track.lua_state.cutoff_shim[desync.func_instance][true] = true
desync.track.lua_state.cutoff_shim[desync.func_instance][false] = true
else
desync.track.lua_state.cutoff_shim[desync.func_instance][dir] = true
end
if b_debug then DLOG("instance_cutoff_shim: cutoff '"..desync.func_instance.."' in="..tostring(type(dir)=="nil" and true or not dir).." out="..tostring(type(dir)=="nil" or dir)) end
end
end
function cutoff_shim_check(desync)
if not desync.track then
DLOG("cutoff_shim_check: cannot check '"..desync.func_instance.."' cutoff because conntrack is absent")
return false
else
local b=desync.track.lua_state.cutoff_shim and
desync.track.lua_state.cutoff_shim[desync.func_instance] and
desync.track.lua_state.cutoff_shim[desync.func_instance][desync.outgoing]
if b and b_debug then
DLOG("cutoff_shim_check: '"..desync.func_instance.."' "..(desync.outgoing and "out" or "in").." cutoff")
end
return b
end
end
-- applies # and $ prefixes. #var means var length, %var means var value
function apply_arg_prefix(desync)
for a,v in pairs(desync.arg) do
local c = string.sub(v,1,1)
if c=='#' then
local blb = blob(desync,string.sub(v,2))
desync.arg[a] = (type(blb)=='string' or type(blb)=='table') and #blb or 0
elseif c=='%' then
desync.arg[a] = blob(desync,string.sub(v,2))
elseif c=='\\' then
c = string.sub(v,2,2);
if c=='#' or c=='%' then
desync.arg[a] = string.sub(v,2)
end
end
end
end
-- copy instance identification and args from execution plan to desync table
-- NOTE : to not lose VERDICT_MODIFY dissect changes pass original desync table
-- NOTE : if a copy was passed and VERDICT_MODIFY returned you must copy modified dissect back to desync table or resend it and return VERDICT_DROP
-- NOTE : args and some fields are substituted. if you need them - make a copy before calling this.
function apply_execution_plan(desync, instance)
desync.func = instance.func
desync.func_n = instance.func_n
desync.func_instance = instance.func_instance
desync.arg = deepcopy(instance.arg)
apply_arg_prefix(desync)
end
-- produce resulting verdict from 2 verdicts
function verdict_aggregate(v1, v2)
local v
v1 = v1 or VERDICT_PASS
v2 = v2 or VERDICT_PASS
if v1==VERDICT_DROP or v2==VERDICT_DROP then
v=VERDICT_DROP
elseif v1==VERDICT_MODIFY or v2==VERDICT_MODIFY then
v=VERDICT_MODIFY
else
v=VERDICT_PASS
end
return v
end
function plan_instance_execute(desync, verdict, instance)
apply_execution_plan(desync, instance)
if cutoff_shim_check(desync) then
DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because of voluntary cutoff")
elseif not payload_match_filter(desync.l7payload, instance.payload_filter) then
DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because payload '"..desync.l7payload.."' does not match filter '"..instance.payload_filter.."'")
elseif not pos_check_range(desync, instance.range) then
DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because pos "..pos_str(desync,instance.range.from).." "..pos_str(desync,instance.range.to).." is out of range '"..pos_range_str(instance.range).."'")
else
DLOG("plan_instance_execute: calling '"..desync.func_instance.."'")
verdict = verdict_aggregate(verdict,_G[instance.func](nil, desync))
end
return verdict
end
function plan_instance_pop(desync)
return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1)
end
function plan_clear(desync)
while table.remove(desync.plan) do end
end
-- this approach allows nested orchestrators
function orchestrate(ctx, desync)
if not desync.plan then
execution_plan_cancel(ctx)
desync.plan = execution_plan(ctx)
end
end
-- copy desync preserving lua_state
function desync_copy(desync)
local dcopy = deepcopy(desync)
if desync.track then
-- preserve lua state
dcopy.track.lua_state = desync.track.lua_state
end
if desync.plan then
-- preserve execution plan
dcopy.plan = desync.plan
end
return dcopy
end
-- redo what whould be done without orchestration
function replay_execution_plan(desync)
local verdict = VERDICT_PASS
while true do
local instance = plan_instance_pop(desync)
if not instance then break end
verdict = plan_instance_execute(desync, verdict, instance)
end
return verdict
end
-- this function demonstrates how to stop execution of upcoming desync instances and take over their job
-- this can be used, for example, for orchestrating conditional processing without modifying of desync functions code
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
function desync_orchestrator_example(ctx, desync)
DLOG("orchestrator: taking over upcoming desync instances")
orchestrate(ctx, desync)
return replay_execution_plan(desync)
end
-- these functions duplicate range check logic from C code
-- mode must be n,d,b,s,x,a
-- pos is {mode,pos}
-- range is {from={mode,pos}, to={mode,pos}, upper_cutoff}
-- upper_cutoff = true means non-inclusive upper boundary
function pos_get_pos(track_pos, mode)
if track_pos then
if mode=='n' then
return track_pos.pcounter
elseif mode=='d' then
return track_pos.pdcounter
elseif mode=='b' then
return track_pos.pbcounter
elseif track_pos.tcp then
if mode=='s' then
return track_pos.tcp.rseq
elseif mode=='p' then
return track_pos.tcp.pos
end
end
end
return 0
end
function pos_get(desync, mode, reverse)
if desync.track then
local track_pos = reverse and desync.track.pos.reverse or desync.track.pos.direct
return pos_get_pos(track_pos,mode)
end
return 0
end
function pos_check_from(desync, range)
if range.from.mode == 'x' then return false end
if range.from.mode ~= 'a' then
if desync.track then
return pos_get(desync, range.from.mode) >= range.from.pos
else
return false
end
end
return true;
end
function pos_check_to(desync, range)
local ps
if range.to.mode == 'x' then return false end
if range.to.mode ~= 'a' then
if desync.track then
ps = pos_get(desync, range.to.mode)
return (ps < range.to.pos) or not range.upper_cutoff and (ps == range.to.pos)
else
return false
end
end
return true;
end
function pos_check_range(desync, range)
return pos_check_from(desync,range) and pos_check_to(desync,range)
end
function pos_range_str(range)
return range.from.mode..range.from.pos..(range.upper_cutoff and '<' or '-')..range.to.mode..range.to.pos
end
function pos_str(desync, pos)
return pos.mode..pos_get(desync, pos.mode)
end
function is_retransmission(desync)
return desync.track and desync.track.tcp and 0==bitand(u32add(desync.track.tcp.uppos_orig_prev, -desync.track.tcp.pos_orig), 0x80000000)
end
-- prepare standard rawsend options from desync
-- repeats - how many time send the packet
@@ -108,12 +371,15 @@ function str_or_hex(s)
return s
end
end
function logical_xor(a,b)
return a and not b or not a and b
end
-- print to DLOG any variable. tables are expanded in the tree form, unprintables strings are hex dumped
function var_debug(v)
local function dbg(v,level)
if type(v)=="table" then
for key, value in pairs(v) do
DLOG(string.rep(" ",2*level).."."..key)
DLOG(string.rep(" ",2*level).."."..tostring(key))
dbg(v[key],level+1)
end
elseif type(v)=="string" then
@@ -301,6 +567,88 @@ function http_dissect_req(http)
local uri = string.sub(req,pos,pnext-1)
return { method = method, uri = uri, headers = http_dissect_headers(http,hdrpos) }
end
function http_dissect_reply(http)
if not http then return nil; end
local s, pos, code
s = string.sub(http,1,8)
if s~="HTTP/1.1" and s~="HTTP/1.0" then return nil end
pos = string.find(http,"[ \t\r\n]",10)
code = tonumber(string.sub(http,10,pos-1))
if not code then return nil end
pos = find_next_line(http,pos)
return { code = code, headers = http_dissect_headers(http,pos) }
end
function dissect_url(url)
local p1,pb,pstart,pend
local proto, creds, domain, port, uri
p1 = string.find(url,"[^ \t]")
if not p1 then return nil end
pb = p1
pstart,pend = string.find(url,"[a-z]+://",p1)
if pend then
proto = string.sub(url,pstart,pend-3)
p1 = pend+1
end
pstart,pend = string.find(url,"[@/]",p1)
if pend and string.sub(url,pstart,pend)=='@' then
creds = string.sub(url,p1,pend-1)
p1 = pend+1
end
pstart,pend = string.find(url,"/",p1,true)
if pend then
if pend==pb then
uri = string.sub(url,pb)
else
uri = string.sub(url,pend)
domain = string.sub(url,p1,pend-1)
end
else
if proto then
domain = string.sub(url,p1)
else
uri = string.sub(url,p1)
end
end
if domain then
pstart,pend = string.find(domain,':',1,true)
if pend then
port = string.sub(domain, pend+1)
domain = string.sub(domain, 1, pstart-1)
end
end
return { proto = proto, creds = creds, domain = domain, port = port, uri=uri }
end
function dissect_nld(domain, level)
if domain then
local n=1
for pos=#domain,1,-1 do
if string.sub(domain,pos,pos)=='.' then
if n==level then
return string.sub(domain, pos+1)
end
n=n+1
end
end
if n==level then
return domain
end
end
return nil
end
-- support sni=%var
function tls_mod_shim(desync, blob, modlist, payload)
local p1,p2 = string.find(modlist,"sni=%%[^,]+")
if p1 then
local var = string.sub(modlist,p1+5,p2)
local val = desync[var] or _G[var]
if not val then
error("tls_mod_shim: non-existent var '"..var.."'")
end
modlist = string.sub(modlist,1,p1+3)..val..string.sub(modlist,p2+1)
end
return tls_mod(blob,modlist,payload)
end
-- convert comma separated list of tcp flags to tcp.th_flags bit field
function parse_tcp_flags(s)
@@ -513,10 +861,10 @@ function apply_fooling(desync, dis, fooling_options)
if not dis then dis = desync.dis end
if dis.tcp then
if tonumber(fooling_options.tcp_seq) then
dis.tcp.th_seq = dis.tcp.th_seq + fooling_options.tcp_seq
dis.tcp.th_seq = u32add(dis.tcp.th_seq, fooling_options.tcp_seq)
end
if tonumber(fooling_options.tcp_ack) then
dis.tcp.th_ack = dis.tcp.th_ack + fooling_options.tcp_ack
dis.tcp.th_ack = u32add(dis.tcp.th_ack, fooling_options.tcp_ack)
end
if fooling_options.tcp_flags_unset then
dis.tcp.th_flags = bitand(dis.tcp.th_flags, bitnot(parse_tcp_flags(fooling_options.tcp_flags_unset)))
@@ -527,7 +875,7 @@ function apply_fooling(desync, dis, fooling_options)
if tonumber(fooling_options.tcp_ts) then
local idx = find_tcp_option(dis.tcp.options,TCP_KIND_TS)
if idx and (dis.tcp.options[idx].data and #dis.tcp.options[idx].data or 0)==8 then
dis.tcp.options[idx].data = bu32(u32(dis.tcp.options[idx].data)+fooling_options.tcp_ts)..string.sub(dis.tcp.options[idx].data,5)
dis.tcp.options[idx].data = bu32(u32add(u32(dis.tcp.options[idx].data),fooling_options.tcp_ts))..string.sub(dis.tcp.options[idx].data,5)
else
DLOG("apply_fooling: timestamp tcp option not present or invalid")
end
@@ -744,7 +1092,6 @@ end
-- send dissect with tcp segmentation based on mss value. appply specified rawsend options.
function rawsend_dissect_segmented(desync, dis, mss, options)
local discopy = deepcopy(dis)
apply_ip_id(desync, discopy, options and options.ipid)
apply_fooling(desync, discopy, options and options.fooling)
if dis.tcp then
@@ -760,6 +1107,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
len = #payload - pos + 1
if len > max_data then len = max_data end
discopy.payload = string.sub(payload,pos,pos+len-1)
apply_ip_id(desync, discopy, options and options.ipid)
if not rawsend_dissect_ipfrag(discopy, options) then
-- stop if failed
return false
@@ -770,6 +1118,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
return true
end
end
apply_ip_id(desync, discopy, options and options.ipid)
-- no reason to segment
return rawsend_dissect_ipfrag(discopy, options)
end
@@ -796,23 +1145,27 @@ function direction_cutoff_opposite(ctx, desync, def)
local dir = desync.arg.dir or def or "out"
if dir=="out" then
-- cutoff in
instance_cutoff(ctx, false)
instance_cutoff_shim(ctx, desync, false)
elseif dir=="in" then
-- cutoff out
instance_cutoff(ctx, true)
instance_cutoff_shim(ctx, desync, true)
end
end
-- return true if l7payload matches filter l7payload_filter - comma separated list of payload types
function payload_match_filter(l7payload, l7payload_filter, def)
local argpl = l7payload_filter or def or "known"
local neg = string.sub(argpl,1,1)=="~"
local pl = neg and string.sub(argpl,2) or argpl
return neg ~= (in_list(pl, "all") or in_list(pl, l7payload) or in_list(pl, "known") and l7payload~="unknown" and l7payload~="empty")
end
-- check if desync payload type comply with payload type list in arg.payload
-- if arg.payload is not present - check for known payload - not empty and not unknown (nfqws1 behavior without "--desync-any-protocol" option)
-- if arg.payload is prefixed with '~' - it means negation
function payload_check(desync, def)
local b
local argpl = desync.arg.payload or def or "known"
local neg = string.sub(argpl,1,1)=="~"
local pl = neg and string.sub(argpl,2) or argpl
b = neg ~= (in_list(pl, "all") or in_list(pl, desync.l7payload) or in_list(pl, "known") and desync.l7payload~="unknown" and desync.l7payload~="empty")
if not b then
local b = payload_match_filter(desync.l7payload, desync.arg.payload, def)
if not b and b_debug then
local argpl = desync.arg.payload or def or "known"
DLOG("payload_check: payload '"..desync.l7payload.."' does not pass '"..argpl.."' filter")
end
return b
@@ -883,6 +1236,14 @@ function genhost(len, template)
end
end
-- return hostname if present or ip address in text form otherwise
function host_or_ip(desync)
if desync.track and desync.track.hostname then
return desync.track.hostname
end
return desync.target.ip and ntop(desync.target.ip) or desync.target.ip6 and ntop(desync.target.ip6)
end
function is_absolute_path(path)
if string.sub(path,1,1)=='/' then return true end
local un = uname()
@@ -1031,4 +1392,3 @@ function ipfrag2(dis, ipfrag_options)
return {dis1,dis2}
end

38
lua/zapret-tests.lua
View File

@@ -264,8 +264,8 @@ end
function test_bit()
local v, v2, v3, v4, b1, b2, pow
v = math.random(0,0xFFFFFFFFFFFF)
b1 = math.random(1,15)
v = math.random(0,0xFFFFFFFF)
b1 = math.random(1,16)
v2 = bitrshift(v, b1)
pow = 2^b1
@@ -275,17 +275,17 @@ function test_bit()
v2 = bitlshift(v, b1)
pow = 2^b1
v3 = v * pow
print(string.format("lshift(0x%X,%u) = 0x%X 0x%X*%u = 0x%X", v,b1,v2, v,pow,v3))
v3 = (v * pow) % 0x100000000
print(string.format("lshift(0x%X,%u) = 0x%X 0x%X*%u %% 0x10000000 = 0x%X", v,b1,v2, v,pow,v3))
test_assert(v2==v3)
v2 = math.random(0,0xFFFFFFFFFFFF)
v2 = math.random(0,0xFFFFFFFF)
v3 = bitxor(v, v2)
v4 = bitor(v, v2) - bitand(v, v2)
print(string.format("xor(0x%X,0x%X) = %X or/and/minus = %X", v, v2, v3, v4))
test_assert(v3==v4)
b2 = b1 + math.random(1,31)
b2 = b1 + math.random(1,15)
v2 = bitget(v, b1, b2)
pow = 2^(b2-b1+1) - 1
v3 = bitand(bitrshift(v,b1), pow)
@@ -299,8 +299,32 @@ function test_bit()
test_assert(v2==v3)
end
function test_ux()
local v1, v2, v3, usum, sum
for k,test in pairs({
{ add=u8add, fname="u8add", max = 0xFF },
{ add=u16add, fname="u16add", max = 0xFFFF },
{ add=u24add, fname="u24add", max = 0xFFFFFF },
{ add=u32add, fname="u32add", max = 0xFFFFFFFF }
}) do
io.write(test.fname.." : ")
for i=1,1000 do
v1=math.random(-test.max,test.max)
v2=math.random(-test.max,test.max)
v3=math.random(-test.max,test.max)
usum = test.add(v1,v2,v3)
sum = bitand((v1+v2+v3)%(test.max+1),test.max)
if sum~=usum then
print("FAIL")
end
test_assert(sum==usum)
end
print("OK")
end
end
function test_bin(...)
test_run({test_ub, test_bit},...)
test_run({test_ub, test_bit, test_ux},...)
end

181
nfq2/conntrack.c
View File

@@ -37,7 +37,7 @@ void ConntrackClearHostname(t_ctrack *track)
static void ConntrackClearTrack(t_ctrack *track)
{
ConntrackClearHostname(track);
ReasmClear(&track->reasm_orig);
ReasmClear(&track->reasm_client);
rawpacket_queue_destroy(&track->delayed);
luaL_unref(params.L, LUA_REGISTRYINDEX, track->lua_state);
luaL_unref(params.L, LUA_REGISTRYINDEX, track->lua_instance_cutoff);
@@ -102,8 +102,7 @@ static void ConntrackInitTrack(t_ctrack *t)
{
memset(t, 0, sizeof(*t));
t->l7proto = L7_UNKNOWN;
t->scale_orig = t->scale_reply = SCALE_NONE;
time(&t->t_start);
t->pos.client.scale = t->pos.server.scale = SCALE_NONE;
rawpacket_queue_init(&t->delayed);
lua_newtable(params.L);
t->lua_state = luaL_ref(params.L, LUA_REGISTRYINDEX);
@@ -128,6 +127,36 @@ static t_conntrack_pool *ConntrackNew(t_conntrack_pool **pp, const t_conn *c)
return ctnew;
}
static void ConntrackApplyPos(const struct tcphdr *tcp, t_ctrack *t, bool bReverse, uint32_t len_payload)
{
uint8_t scale;
uint16_t mss;
t_ctrack_position *direct, *reverse;
direct = bReverse ? &t->pos.server : &t->pos.client;
reverse = bReverse ? &t->pos.client : &t->pos.server;
scale = tcp_find_scale_factor(tcp);
mss = ntohs(tcp_find_mss(tcp));
direct->seq_last = ntohl(tcp->th_seq);
direct->pos = direct->seq_last + len_payload;
reverse->pos = reverse->seq_last = ntohl(tcp->th_ack);
if (t->pos.state == SYN)
direct->uppos_prev = direct->uppos = direct->pos;
else if (len_payload)
{
direct->uppos_prev = direct->uppos;
if (!((direct->pos - direct->uppos) & 0x80000000))
direct->uppos = direct->pos;
}
direct->winsize = ntohs(tcp->th_win);
direct->winsize_calc = direct->winsize;
if (direct->scale != SCALE_NONE) direct->winsize_calc <<= direct->scale;
if (mss && !direct->mss) direct->mss = mss;
if (scale != SCALE_NONE) direct->scale = scale;
}
// non-tcp packets are passed with tcphdr=NULL but len_payload filled
static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr *tcphdr, uint32_t len_payload)
{
@@ -136,86 +165,65 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
if (bReverse)
{
t->pcounter_reply++;
t->pdcounter_reply += !!len_payload;
t->pbcounter_reply += len_payload;
t->pos.server.pcounter++;
t->pos.server.pdcounter += !!len_payload;
t->pos.server.pbcounter += len_payload;
}
else
{
t->pcounter_orig++;
t->pdcounter_orig += !!len_payload;
t->pbcounter_orig += len_payload;
t->pos.client.pcounter++;
t->pos.client.pdcounter += !!len_payload;
t->pos.client.pbcounter += len_payload;
}
if (tcphdr)
{
if (tcp_syn_segment(tcphdr))
{
if (t->state != SYN) ConntrackReInitTrack(t); // erase current entry
t->seq0 = ntohl(tcphdr->th_seq);
if (t->pos.state != SYN) ConntrackReInitTrack(t); // erase current entry
t->pos.client.seq0 = ntohl(tcphdr->th_seq);
}
else if (tcp_synack_segment(tcphdr))
{
// ignore SA dups
uint32_t seq0 = ntohl(tcphdr->th_ack) - 1;
if (t->state != SYN && t->seq0 != seq0)
if (t->pos.state != SYN && t->pos.client.seq0 != seq0)
ConntrackReInitTrack(t); // erase current entry
if (!t->seq0) t->seq0 = seq0;
t->ack0 = ntohl(tcphdr->th_seq);
if (!t->pos.client.seq0) t->pos.client.seq0 = seq0;
t->pos.server.seq0 = ntohl(tcphdr->th_seq);
}
else if (tcphdr->th_flags & (TH_FIN | TH_RST))
{
t->state = FIN;
t->pos.state = FIN;
}
else
{
if (t->state == SYN)
if (t->pos.state == SYN)
{
t->state = ESTABLISHED;
if (!bReverse && !t->ack0) t->ack0 = ntohl(tcphdr->th_ack) - 1;
t->pos.state = ESTABLISHED;
if (!bReverse && !t->pos.server.seq0) t->pos.server.seq0 = ntohl(tcphdr->th_ack) - 1;
}
}
scale = tcp_find_scale_factor(tcphdr);
mss = ntohs(tcp_find_mss(tcphdr));
if (bReverse)
{
t->pos_orig = t->seq_last = ntohl(tcphdr->th_ack);
t->ack_last = ntohl(tcphdr->th_seq);
t->pos_reply = t->ack_last + len_payload;
t->winsize_reply = ntohs(tcphdr->th_win);
t->winsize_reply_calc = t->winsize_reply;
if (t->scale_reply != SCALE_NONE) t->winsize_reply_calc <<= t->scale_reply;
if (mss && !t->mss_reply) t->mss_reply = mss;
if (scale != SCALE_NONE) t->scale_reply = scale;
}
else
{
t->seq_last = ntohl(tcphdr->th_seq);
t->pos_orig = t->seq_last + len_payload;
t->pos_reply = t->ack_last = ntohl(tcphdr->th_ack);
t->winsize_orig = ntohs(tcphdr->th_win);
t->winsize_orig_calc = t->winsize_orig;
if (t->scale_orig != SCALE_NONE) t->winsize_orig_calc <<= t->scale_orig;
if (mss && !t->mss_reply) t->mss_orig = mss;
if (scale != SCALE_NONE) t->scale_orig = scale;
}
ConntrackApplyPos(tcphdr, t, bReverse, len_payload);
}
else
{
if (bReverse)
{
t->ack_last = t->pos_reply;
t->pos_reply += len_payload;
t->pos.server.seq_last = t->pos.server.pos;
t->pos.server.pos += len_payload;
}
else
{
t->seq_last = t->pos_orig;
t->pos_orig += len_payload;
t->pos.client.seq_last = t->pos.client.pos;
t->pos.client.pos += len_payload;
}
}
time(&t->t_last);
clock_gettime(CLOCK_REALTIME, &t->pos.t_last);
// make sure t_start gets exactly the same value as first t_last
if (!t->t_start.tv_sec) t->t_start = t->pos.t_last;
}
static bool ConntrackPoolDoubleSearchPool(t_conntrack_pool **pp, const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcphdr, const struct udphdr *udphdr, t_ctrack **ctrack, bool *bReverse)
@@ -311,25 +319,27 @@ bool ConntrackPoolDrop(t_conntrack *p, const struct ip *ip, const struct ip6_hdr
void ConntrackPoolPurge(t_conntrack *p)
{
time_t tidle, tnow = time(NULL);
time_t tidle;
struct timespec tnow;
t_conntrack_pool *t, *tmp;
if ((tnow - p->t_last_purge) >= p->t_purge_interval)
if (clock_gettime(CLOCK_REALTIME, &tnow)) return;
if ((tnow.tv_sec - p->t_last_purge) >= p->t_purge_interval)
{
HASH_ITER(hh, p->pool, t, tmp) {
tidle = tnow - t->track.t_last;
tidle = tnow.tv_sec - t->track.pos.t_last.tv_sec;
if (t->track.b_cutoff ||
(t->conn.l4proto == IPPROTO_TCP && (
(t->track.state == SYN && tidle >= p->timeout_syn) ||
(t->track.state == ESTABLISHED && tidle >= p->timeout_established) ||
(t->track.state == FIN && tidle >= p->timeout_fin))
(t->track.pos.state == SYN && tidle >= p->timeout_syn) ||
(t->track.pos.state == ESTABLISHED && tidle >= p->timeout_established) ||
(t->track.pos.state == FIN && tidle >= p->timeout_fin))
) || (t->conn.l4proto == IPPROTO_UDP && tidle >= p->timeout_udp)
)
{
HASH_DEL(p->pool, t); ConntrackFreeElem(t);
}
}
p->t_last_purge = tnow;
p->t_last_purge = tnow.tv_sec;
}
}
@@ -341,29 +351,31 @@ static void taddr2str(uint8_t l3proto, const t_addr *a, char *buf, size_t bufsiz
void ConntrackPoolDump(const t_conntrack *p)
{
t_conntrack_pool *t, *tmp;
struct timespec tnow;
char sa1[40], sa2[40];
time_t tnow = time(NULL);
if (clock_gettime(CLOCK_REALTIME, &tnow)) return;
HASH_ITER(hh, p->pool, t, tmp) {
taddr2str(t->conn.l3proto, &t->conn.src, sa1, sizeof(sa1));
taddr2str(t->conn.l3proto, &t->conn.dst, sa2, sizeof(sa2));
printf("%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu orig=d%llu/n%llu/b%llu reply=d%llu/n%llu/b%lld ",
printf("%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu client=d%llu/n%llu/b%llu server=d%llu/n%llu/b%lld ",
proto_name(t->conn.l4proto),
sa1, t->conn.sport, sa2, t->conn.dport,
t->conn.l4proto == IPPROTO_TCP ? connstate_s[t->track.state] : "-",
(unsigned long long)t->track.t_start, (unsigned long long)(t->track.t_last - t->track.t_start), (unsigned long long)(tnow - t->track.t_last),
(unsigned long long)t->track.pdcounter_orig, (unsigned long long)t->track.pcounter_orig, (unsigned long long)t->track.pbcounter_orig,
(unsigned long long)t->track.pdcounter_reply, (unsigned long long)t->track.pcounter_reply, (unsigned long long)t->track.pbcounter_reply);
t->conn.l4proto == IPPROTO_TCP ? connstate_s[t->track.pos.state] : "-",
(unsigned long long)t->track.t_start.tv_sec, (unsigned long long)(t->track.pos.t_last.tv_sec - t->track.t_start.tv_sec), (unsigned long long)(tnow.tv_sec - t->track.pos.t_last.tv_sec),
(unsigned long long)t->track.pos.client.pdcounter, (unsigned long long)t->track.pos.client.pcounter, (unsigned long long)t->track.pos.client.pbcounter,
(unsigned long long)t->track.pos.server.pdcounter, (unsigned long long)t->track.pos.server.pcounter, (unsigned long long)t->track.pos.server.pbcounter);
if (t->conn.l4proto == IPPROTO_TCP)
printf("seq0=%u rseq=%u pos_orig=%u ack0=%u rack=%u pos_reply=%u mss_orig=%u mss_reply=%u wsize_orig=%u:%d wsize_reply=%u:%d",
t->track.seq0, t->track.seq_last - t->track.seq0, t->track.pos_orig - t->track.seq0,
t->track.ack0, t->track.ack_last - t->track.ack0, t->track.pos_reply - t->track.ack0,
t->track.mss_orig, t->track.mss_reply,
t->track.winsize_orig, t->track.scale_orig == SCALE_NONE ? -1 : t->track.scale_orig,
t->track.winsize_reply, t->track.scale_reply == SCALE_NONE ? -1 : t->track.scale_reply);
printf("seq0=%u rseq=%u client.pos=%u ack0=%u rack=%u server.pos=%u client.mss=%u server.mss=%u client.wsize=%u:%d server.wsize=%u:%d",
t->track.pos.client.seq0, t->track.pos.client.seq_last - t->track.pos.client.seq0, t->track.pos.client.pos - t->track.pos.client.seq0,
t->track.pos.server.seq0, t->track.pos.server.seq_last - t->track.pos.server.seq0, t->track.pos.server.pos - t->track.pos.server.seq0,
t->track.pos.client.mss, t->track.pos.server.mss,
t->track.pos.client.winsize, t->track.pos.client.scale == SCALE_NONE ? -1 : t->track.pos.client.scale,
t->track.pos.server.winsize, t->track.pos.server.scale == SCALE_NONE ? -1 : t->track.pos.server.scale);
else
printf("rseq=%u pos_orig=%u rack=%u pos_reply=%u",
t->track.seq_last, t->track.pos_orig,
t->track.ack_last, t->track.pos_reply);
printf("rseq=%u client.pos=%u rack=%u server.pos=%u",
t->track.pos.client.seq_last, t->track.pos.client.pos,
t->track.pos.server.seq_last, t->track.pos.server.pos);
printf(" req_retrans=%u cutoff=%u lua_in_cutoff=%u lua_out_cutoff=%u hostname=%s l7proto=%s\n",
t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_lua_in_cutoff, t->track.b_lua_out_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
};
@@ -394,17 +406,30 @@ bool ReasmResize(t_reassemble *reasm, size_t new_size)
if (reasm->size_present > new_size) reasm->size_present = new_size;
return true;
}
#define REASM_MAX_NEG 0x100000
bool ReasmFeed(t_reassemble *reasm, uint32_t seq, const void *payload, size_t len)
{
if (reasm->seq != seq) return false; // fail session if out of sequence
size_t szcopy;
szcopy = reasm->size - reasm->size_present;
if (len < szcopy) szcopy = len;
memcpy(reasm->packet + reasm->size_present, payload, szcopy);
reasm->size_present += szcopy;
reasm->seq += (uint32_t)szcopy;
uint32_t dseq = seq - reasm->seq;
if (dseq && (dseq < REASM_MAX_NEG))
return false; // fail session if a gap about to appear
uint32_t neg_overlap = reasm->seq - seq;
if (neg_overlap > REASM_MAX_NEG)
return false; // too big minus
size_t szcopy, szignore;
szignore = (neg_overlap > reasm->size_present) ? neg_overlap - reasm->size_present : 0;
if (szignore>=len) return true; // everyting is before the starting pos
szcopy = len - szignore;
neg_overlap -= szignore;
if ((reasm->size_present - neg_overlap + szcopy) > reasm->size)
return false; // buffer overflow
// in case of seq overlap new data replaces old - unix behavior
memcpy(reasm->packet + reasm->size_present - neg_overlap, payload + szignore, szcopy);
if (szcopy>neg_overlap)
{
reasm->size_present += szcopy - neg_overlap;
reasm->seq += (uint32_t)szcopy - neg_overlap;
}
return true;
}
bool ReasmHasSpace(t_reassemble *reasm, size_t len)

34
nfq2/conntrack.h
View File

@@ -8,7 +8,6 @@
#include <stdint.h>
#include <ctype.h>
#include <sys/types.h>
#include <time.h>
#include <netinet/in.h>
#define __FAVOR_BSD
@@ -17,6 +16,7 @@
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include "conntrack_base.h"
#include "packet_queue.h"
#include "protocol.h"
@@ -43,43 +43,27 @@ typedef struct
// this structure helps to reassemble continuous packets streams. it does not support out-of-orders
typedef struct {
uint8_t *packet; // allocated for size during reassemble request. requestor must know the message size.
uint32_t seq; // current seq number. if a packet comes with an unexpected seq - it fails reassemble session.
uint32_t seq; // current seq number. if a packet comes with unsupported seq overlap - it fails reassemble session.
size_t size; // expected message size. success means that we have received exactly 'size' bytes and have them in 'packet'
size_t size_present; // how many bytes already stored in 'packet'
} t_reassemble;
// SYN - SYN or SYN/ACK received
// ESTABLISHED - any except SYN or SYN/ACK received
// FIN - FIN or RST received
typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;
typedef struct
{
bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
uint8_t ipproto;
struct timespec t_start;
// this block of data can change between delayed (queued) packets. need to remeber this data for each packet for further replay
t_ctrack_positions pos;
struct desync_profile *dp; // desync profile cache
bool dp_search_complete;
// common state
time_t t_start, t_last;
uint64_t pcounter_orig, pcounter_reply; // packet counter
uint64_t pdcounter_orig, pdcounter_reply; // data packet counter (with payload)
uint64_t pbcounter_orig, pbcounter_reply; // transferred byte counter. includes retransmissions. it's not the same as relative seq.
uint32_t pos_orig, pos_reply; // TCP: seq_last+payload, ack_last+payload UDP: sum of all seen payload lenghts including current
uint32_t seq_last, ack_last; // TCP: last seen seq and ack UDP: sum of all seen payload lenghts NOT including current
// tcp only state, not used in udp
t_connstate state;
uint32_t seq0, ack0; // starting seq and ack
uint16_t winsize_orig, winsize_reply; // last seen window size
uint8_t scale_orig, scale_reply; // last seen window scale factor. SCALE_NONE if none
uint32_t winsize_orig_calc, winsize_reply_calc; // calculated window size
uint16_t mss_orig, mss_reply;
uint8_t req_retrans_counter; // number of request retransmissions
bool req_seq_present,req_seq_finalized,req_seq_abandoned;
uint32_t req_seq_start,req_seq_end; // sequence interval of the request (to track retransmissions)
bool failure_detect_finalized;
uint8_t incoming_ttl;
@@ -96,7 +80,7 @@ typedef struct
int lua_state; // registry index of associated LUA object
int lua_instance_cutoff; // registry index of per connection function instance cutoff table
t_reassemble reasm_orig;
t_reassemble reasm_client;
struct rawpacket_tailhead delayed;
} t_ctrack;

39
nfq2/conntrack_base.h Normal file
View File

@@ -0,0 +1,39 @@
#pragma once
#include <time.h>
#define CTRACK_T_SYN 60
#define CTRACK_T_FIN 60
#define CTRACK_T_EST 300
#define CTRACK_T_UDP 60
// SYN - SYN or SYN/ACK received
// ESTABLISHED - any except SYN or SYN/ACK received
// FIN - FIN or RST received
typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;
typedef struct
{
uint64_t pcounter; // packet counter
uint64_t pdcounter; // data packet counter (with payload)
uint64_t pbcounter; // transferred byte counter. includes retransmissions. it's not the same as relative seq.
uint32_t pos; // TCP: seq_last+payload, ack_last+payload UDP: sum of all seen payload lenghts including current
uint32_t uppos; // max seen position. useful to detect retransmissions
uint32_t uppos_prev; // previous max seen position. useful to detect retransmissions
uint32_t seq_last; // TCP: last seen seq and ack UDP: sum of all seen payload lenghts NOT including current
// tcp only state, not used in udp
uint32_t seq0; // starting seq and ack
uint16_t winsize; // last seen window size
uint8_t scale; // last seen window scale factor. SCALE_NONE if none
uint32_t winsize_calc; // calculated window size
uint16_t mss;
} t_ctrack_position;
typedef struct
{
struct timespec t_last;
t_connstate state;
t_ctrack_position client, server;
}
t_ctrack_positions;

487
nfq2/desync.c
View File

File diff suppressed because it is too large Load Diff

2
nfq2/helpers.c
View File

@@ -514,7 +514,7 @@ bool pf_is_empty(const port_filter *pf)
bool packet_pos_parse(const char *s, struct packet_pos *pos)
{
if (*s!='n' && *s!='d' && *s!='s' && *s!='b' && *s!='x' && *s!='a') return false;
if (*s!='n' && *s!='d' && *s!='s' && *s!='p' && *s!='b' && *s!='x' && *s!='a') return false;
pos->mode=*s;
if (pos->mode=='x' || pos->mode=='a')
{

47
nfq2/hostlist.c
View File

@@ -258,7 +258,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con
// return : true = apply fooling, false = do not apply
bool HostlistCheck(const struct desync_profile *dp, const char *host, bool no_match_subdomains, bool *excluded, bool bSkipReloadCheck)
{
DLOG("* hostlist check for profile %u\n",dp->n);
DLOG("* hostlist check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp));
return HostlistCheck_(&dp->hl_collection, &dp->hl_collection_exclude, host, no_match_subdomains, excluded, bSkipReloadCheck);
}
@@ -301,13 +301,34 @@ struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude,
filename);
}
static void HostlistsDebugProfile(const struct desync_profile *dp, const char *entity)
{
struct hostlist_item *hl_item;
LIST_FOREACH(hl_item, &dp->hl_collection, next)
if (hl_item->hfile!=dp->hostlist_auto)
{
if (hl_item->hfile->filename)
DLOG("%s %u (%s) include hostlist %s%s\n",entity, dp->n, PROFILE_NAME(dp), hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
else
DLOG("%s %u (%s) include fixed hostlist%s\n",entity, dp->n, PROFILE_NAME(dp), hl_item->hfile->hostlist ? "" : " (empty)");
}
LIST_FOREACH(hl_item, &dp->hl_collection_exclude, next)
{
if (hl_item->hfile->filename)
DLOG("%s %u (%s) exclude hostlist %s%s\n",entity, dp->n,PROFILE_NAME(dp),hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
else
DLOG("%s %u (%s) exclude fixed hostlist%s\n",entity, dp->n,PROFILE_NAME(dp),hl_item->hfile->hostlist ? "" : " (empty)");
}
if (dp->hostlist_auto)
DLOG("%s %u (%s) auto hostlist %s%s\n",entity, dp->n,PROFILE_NAME(dp),dp->hostlist_auto->filename,dp->hostlist_auto->hostlist ? "" : " (empty)");
}
void HostlistsDebug()
{
if (!params.debug) return;
struct hostlist_file *hfile;
struct desync_profile_list *dpl;
struct hostlist_item *hl_item;
LIST_FOREACH(hfile, &params.hostlists, next)
{
@@ -319,22 +340,10 @@ void HostlistsDebug()
LIST_FOREACH(dpl, &params.desync_profiles, next)
{
LIST_FOREACH(hl_item, &dpl->dp.hl_collection, next)
if (hl_item->hfile!=dpl->dp.hostlist_auto)
{
if (hl_item->hfile->filename)
DLOG("profile %u include hostlist %s%s\n",dpl->dp.n, hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
else
DLOG("profile %u include fixed hostlist%s\n",dpl->dp.n, hl_item->hfile->hostlist ? "" : " (empty)");
}
LIST_FOREACH(hl_item, &dpl->dp.hl_collection_exclude, next)
{
if (hl_item->hfile->filename)
DLOG("profile %u exclude hostlist %s%s\n",dpl->dp.n,hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
else
DLOG("profile %u exclude fixed hostlist%s\n",dpl->dp.n,hl_item->hfile->hostlist ? "" : " (empty)");
}
if (dpl->dp.hostlist_auto)
DLOG("profile %u auto hostlist %s%s\n",dpl->dp.n,dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)");
HostlistsDebugProfile(&dpl->dp, "profile");
}
LIST_FOREACH(dpl, &params.desync_templates, next)
{
HostlistsDebugProfile(&dpl->dp, "template");
}
}

37
nfq2/ipset.c
View File

@@ -235,7 +235,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip
bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, const struct in6_addr *ipv6)
{
if (PROFILE_IPSETS_ABSENT(dp)) return true;
DLOG("* ipset check for profile %u\n",dp->n);
DLOG("* ipset check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp));
return IpsetCheck_(&dp->ips_collection,&dp->ips_collection_exclude,ipv4,ipv6);
}
@@ -287,13 +287,31 @@ static const char *dbg_ipset_fill(const ipset *ips)
else
return "empty";
}
void IpsetsDebugProfile(const struct desync_profile *dp, const char *entity)
{
struct ipset_item *ips_item;
LIST_FOREACH(ips_item, &dp->ips_collection, next)
{
if (ips_item->hfile->filename)
DLOG("%s %u (%s) include ipset %s (%s)\n",entity,dp->n,PROFILE_NAME(dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
else
DLOG("%s %u (%s) include fixed ipset (%s)\n",entity,dp->n,PROFILE_NAME(dp),dbg_ipset_fill(&ips_item->hfile->ipset));
}
LIST_FOREACH(ips_item, &dp->ips_collection_exclude, next)
{
if (ips_item->hfile->filename)
DLOG("%s %u (%s) exclude ipset %s (%s)\n",entity,dp->n,PROFILE_NAME(dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
else
DLOG("%s %u (%s) exclude fixed ipset (%s)\n",entity,dp->n,PROFILE_NAME(dp),dbg_ipset_fill(&ips_item->hfile->ipset));
}
}
void IpsetsDebug()
{
if (!params.debug) return;
struct ipset_file *hfile;
struct desync_profile_list *dpl;
struct ipset_item *ips_item;
LIST_FOREACH(hfile, &params.ipsets, next)
{
@@ -305,15 +323,10 @@ void IpsetsDebug()
LIST_FOREACH(dpl, &params.desync_profiles, next)
{
LIST_FOREACH(ips_item, &dpl->dp.ips_collection, next)
if (ips_item->hfile->filename)
DLOG("profile %u include ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
else
DLOG("profile %u include fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
LIST_FOREACH(ips_item, &dpl->dp.ips_collection_exclude, next)
if (ips_item->hfile->filename)
DLOG("profile %u exclude ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
else
DLOG("profile %u exclude fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
IpsetsDebugProfile(&dpl->dp, "profile");
}
LIST_FOREACH(dpl, &params.desync_templates, next)
{
IpsetsDebugProfile(&dpl->dp, "template");
}
}

544
nfq2/lua.c
View File

@@ -19,6 +19,11 @@
#include "crypto/aes-ctr.h"
void desync_instance(const char *func, unsigned int dp_n, unsigned int func_n, char *instance, size_t inst_size)
{
snprintf(instance, inst_size, "%s_%u_%u", func, dp_n, func_n);
}
static void lua_check_argc(lua_State *L, const char *where, int argc)
{
int num_args = lua_gettop(L);
@@ -63,72 +68,100 @@ static int luacall_DLOG_CONDUP(lua_State *L)
static int luacall_bitlshift(lua_State *L)
{
lua_check_argc(L,"bitlshift",2);
lua_pushinteger(L,luaL_checkinteger(L,1) << luaL_checkinteger(L,2));
int64_t v=(int64_t)luaL_checklint(L,1);
if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
lua_pushlint(L,((uint32_t)v) << luaL_checkinteger(L,2));
return 1;
}
static int luacall_bitrshift(lua_State *L)
{
lua_check_argc(L,"bitrshift",2);
lua_pushinteger(L,((LUA_UNSIGNED)luaL_checkinteger(L,1)) >> luaL_checkinteger(L,2));
int64_t v=(int64_t)luaL_checklint(L,1);
if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
lua_pushlint(L,((uint32_t)v) >> luaL_checkinteger(L,2));
return 1;
}
static int luacall_bitand(lua_State *L)
{
lua_check_argc_range(L,"bitand",2,100);
int argc = lua_gettop(L);
lua_Integer v=luaL_checkinteger(L,1);
for(int i=2;i<=argc;i++) v&=luaL_checkinteger(L,i);
lua_pushinteger(L,v);
int64_t v;
uint32_t sum=0xFFFFFFFF;
for(int i=1;i<=argc;i++)
{
v=(int64_t)luaL_checklint(L,i);
if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
sum&=(uint32_t)v;
}
lua_pushlint(L,sum);
return 1;
}
static int luacall_bitor(lua_State *L)
{
lua_check_argc_range(L,"bitor",2,100);
lua_check_argc_range(L,"bitor",1,100);
int argc = lua_gettop(L);
lua_Integer v=0;
for(int i=1;i<=argc;i++) v|=luaL_checkinteger(L,i);
lua_pushinteger(L,v);
int64_t v;
uint32_t sum=0;
for(int i=1;i<=argc;i++)
{
v=(int64_t)luaL_checklint(L,i);
if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
sum|=(uint32_t)v;
}
lua_pushlint(L,sum);
return 1;
}
static int luacall_bitnot(lua_State *L)
{
lua_check_argc(L,"bitnot",1);
lua_pushinteger(L,~luaL_checkinteger(L,1));
lua_pushlint(L,~(uint32_t)luaL_checklint(L,1));
return 1;
}
static int luacall_bitxor(lua_State *L)
{
lua_check_argc_range(L,"bitxor",2,100);
lua_check_argc_range(L,"bitxor",1,100);
int argc = lua_gettop(L);
lua_Integer v=0;
for(int i=1;i<=argc;i++) v^=luaL_checkinteger(L,i);
lua_pushinteger(L,v);
int64_t v;
uint32_t sum=0;
for(int i=1;i<=argc;i++)
{
v=(int64_t)luaL_checklint(L,i);
if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
sum^=(uint32_t)v;
}
lua_pushlint(L,sum);
return 1;
}
static int luacall_bitget(lua_State *L)
{
lua_check_argc(L,"bitget",3);
LUA_UNSIGNED what = (LUA_UNSIGNED)luaL_checkinteger(L,1);
int64_t iwhat = (int64_t)luaL_checklint(L,1);
if (iwhat>0xFFFFFFFF || iwhat<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
uint32_t what = (uint32_t)iwhat;
lua_Integer from = luaL_checkinteger(L,2);
lua_Integer to = luaL_checkinteger(L,3);
if (from>to || from>63 || to>63)
if (from>to || from>31 || to>31)
luaL_error(L, "bit range invalid");
what = (what >> from) & ~((lua_Integer)-1 << (to-from+1));
lua_pushinteger(L,what);
lua_pushlint(L,what);
return 1;
}
static int luacall_bitset(lua_State *L)
{
lua_check_argc(L,"bitset",4);
LUA_UNSIGNED what = (LUA_UNSIGNED)luaL_checkinteger(L,1);
int64_t iwhat = (int64_t)luaL_checklint(L,1);
if (iwhat>0xFFFFFFFF || iwhat<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
uint32_t what = (uint32_t)iwhat;
lua_Integer from = luaL_checkinteger(L,2);
lua_Integer to = luaL_checkinteger(L,3);
LUA_UNSIGNED set = (LUA_UNSIGNED)luaL_checkinteger(L,4);
if (from>to || from>63 || to>63)
int64_t iset = (int64_t)luaL_checklint(L,4);
if (iset>0xFFFFFFFF || iset<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
uint32_t set = (uint32_t)iset;
if (from>to || from>31 || to>31)
luaL_error(L, "bit range invalid");
lua_Integer mask = ~((lua_Integer)-1 << (to-from+1));
@@ -136,7 +169,7 @@ static int luacall_bitset(lua_State *L)
mask <<= from;
what = what & ~mask | set;
lua_pushinteger(L,what);
lua_pushlint(L,what);
return 1;
}
@@ -193,15 +226,15 @@ static int luacall_u32(lua_State *L)
offset = (argc>=2 && lua_type(L,2)!=LUA_TNIL) ? luaL_checkinteger(L,2)-1 : 0;
if (offset<0 || (offset+4)>l) luaL_error(L, "out of range");
lua_pushinteger(L,pntoh32(p+offset));
lua_pushlint(L,pntoh32(p+offset));
return 1;
}
static int luacall_swap16(lua_State *L)
{
lua_check_argc(L,"swap16",1);
lua_Integer i = luaL_checkinteger(L,1);
if (i>0xFFFF || i<-(lua_Integer)0xFFFF) luaL_error(L, "out of range");
int64_t i = (int64_t)luaL_checklint(L,1);
if (i>0xFFFF || i<-(int64_t)0xFFFF) luaL_error(L, "out of range");
uint16_t u = (uint16_t)i;
// __builtin_bswap16 is absent in ancient lexra gcc 4.6
lua_pushinteger(L,(u>>8) | ((u&0xFF)<<8));
@@ -211,17 +244,52 @@ static int luacall_swap32(lua_State *L)
{
lua_check_argc(L,"swap32",1);
lua_Integer i = luaL_checkinteger(L,1);
if (i>0xFFFFFFFF || i<-(lua_Integer)0xFFFFFFFF) luaL_error(L, "out of range");
int64_t i =(int64_t)luaL_checklint(L,1);
if (i>0xFFFFFFFF || i<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
uint32_t u = (uint32_t)i;
lua_pushinteger(L,__builtin_bswap32(u));
lua_pushlint(L,__builtin_bswap32(u));
return 1;
}
static int lua_uxadd(lua_State *L, uint32_t max)
{
int64_t v;
uint32_t sum=0;
int argc = lua_gettop(L);
for(int i=1;i<=argc;i++)
{
v = (int64_t)luaL_checklint(L,i);
if (v>max || v<-(int64_t)max) luaL_error(L, "out of range");
sum+=(uint32_t)v;
}
lua_pushlint(L, sum & max);
return 1;
}
static int luacall_u8add(lua_State *L)
{
lua_check_argc_range(L,"u8add",1,100);
return lua_uxadd(L, 0xFF);
}
static int luacall_u16add(lua_State *L)
{
lua_check_argc_range(L,"u16add",1,100);
return lua_uxadd(L, 0xFFFF);
}
static int luacall_u24add(lua_State *L)
{
lua_check_argc_range(L,"u24add",1,100);
return lua_uxadd(L, 0xFFFFFF);
}
static int luacall_u32add(lua_State *L)
{
lua_check_argc_range(L,"u32add",1,100);
return lua_uxadd(L, 0xFFFFFFFF);
}
static int luacall_bu8(lua_State *L)
{
lua_check_argc(L,"bu8",1);
lua_Integer i = luaL_checkinteger(L,1);
int64_t i = (int64_t)luaL_checklint(L,1);
if (i>0xFF || i<-(lua_Integer)0xFF) luaL_error(L, "out of range");
uint8_t v=(uint8_t)i;
lua_pushlstring(L,(char*)&v,1);
@@ -231,7 +299,7 @@ static int luacall_bu16(lua_State *L)
{
lua_check_argc(L,"bu16",1);
lua_Integer i = luaL_checkinteger(L,1);
int64_t i = (int64_t)luaL_checklint(L,1);
if (i>0xFFFF || i<-(lua_Integer)0xFFFF) luaL_error(L, "out of range");
uint8_t v[2];
phton16(v,(uint16_t)i);
@@ -242,7 +310,7 @@ static int luacall_bu24(lua_State *L)
{
lua_check_argc(L,"bu24",1);
lua_Integer i = luaL_checkinteger(L,1);
int64_t i = (int64_t)luaL_checklint(L,1);
if (i>0xFFFFFF || i<-(lua_Integer)0xFFFFFF) luaL_error(L, "out of range");
uint8_t v[3];
phton24(v,(uint32_t)i);
@@ -253,8 +321,8 @@ static int luacall_bu32(lua_State *L)
{
lua_check_argc(L,"bu32",1);
lua_Integer i = luaL_checkinteger(L,1);
if (i>0xFFFFFFFF || i<-(lua_Integer)0xFFFFFFFF) luaL_error(L, "out of range");
int64_t i = (int64_t)luaL_checklint(L,1);
if (i>0xFFFFFFFF || i<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
uint8_t v[4];
phton32(v,(uint32_t)i);
lua_pushlstring(L,(char*)v,4);
@@ -264,10 +332,10 @@ static int luacall_bu32(lua_State *L)
static int luacall_divint(lua_State *L)
{
lua_check_argc(L,"divint",2);
lua_Integer v1=luaL_checkinteger(L,1);
lua_Integer v2=luaL_checkinteger(L,2);
int64_t v1=(int64_t)luaL_checklint(L,1);
int64_t v2=(int64_t)luaL_checklint(L,2);
if (v2)
lua_pushinteger(L,v1/v2);
lua_pushlint(L,v1/v2);
else
lua_pushnil(L);
return 1;
@@ -617,15 +685,15 @@ static int luacall_clock_gettime(lua_State *L)
}
else
{
lua_pushinteger(L, ts.tv_sec);
lua_pushlint(L, ts.tv_sec);
lua_pushinteger(L, ts.tv_nsec);
}
LUA_STACK_GUARD_RETURN(L,2)
}
static int luacall_instance_cutoff(lua_State *L)
{
// out : func_name.profile_number[0]
// in : func_name.profile_number[1]
// out : instance_name.profile_number[0]
// in : instance_name.profile_number[1]
lua_check_argc_range(L,"instance_cutoff",1,2);
@@ -633,45 +701,51 @@ static int luacall_instance_cutoff(lua_State *L)
const t_lua_desync_context *ctx;
if (!lua_islightuserdata(L,1))
luaL_error(L, "instance_cutoff expect desync context in the first argument");
ctx = lua_touserdata(L,1);
int argc=lua_gettop(L);
bool bIn,bOut;
if (argc>=2)
{
luaL_checktype(L,2,LUA_TBOOLEAN);
bOut = lua_toboolean(L,2);
bIn = !bOut;
}
if (lua_isnil(L,1))
// this can happen in orchestrated function. they do not have their own ctx and they cant cutoff
DLOG("instance cutoff not possible because missing ctx\n");
else
bIn = bOut = true;
if (ctx->ctrack)
{
DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
lua_rawgeti(L,LUA_REGISTRYINDEX,ctx->ctrack->lua_instance_cutoff);
lua_getfield(L,-1,ctx->instance);
if (!lua_istable(L,-1))
if (!lua_islightuserdata(L,1))
luaL_error(L, "instance_cutoff expect desync context in the first argument");
ctx = lua_touserdata(L,1);
int argc=lua_gettop(L);
bool bIn,bOut;
if (argc>=2 && lua_type(L,2)!=LUA_TNIL)
{
lua_pop(L,1);
lua_pushf_table(ctx->instance);
luaL_checktype(L,2,LUA_TBOOLEAN);
bOut = lua_toboolean(L,2);
bIn = !bOut;
}
else
bIn = bOut = true;
if (ctx->ctrack)
{
DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
lua_rawgeti(L,LUA_REGISTRYINDEX,ctx->ctrack->lua_instance_cutoff);
lua_getfield(L,-1,ctx->instance);
}
lua_rawgeti(L,-1,ctx->dp->n);
if (!lua_istable(L,-1))
{
lua_pop(L,1);
lua_pushi_table(ctx->dp->n);
if (!lua_istable(L,-1))
{
lua_pop(L,1);
lua_pushf_table(ctx->instance);
lua_getfield(L,-1,ctx->instance);
}
lua_rawgeti(L,-1,ctx->dp->n);
if (!lua_istable(L,-1))
{
lua_pop(L,1);
lua_pushi_table(ctx->dp->n);
lua_rawgeti(L,-1,ctx->dp->n);
}
if (bOut) lua_pushi_bool(0,true);
if (bIn) lua_pushi_bool(1,true);
lua_pop(L,3);
}
if (bOut) lua_pushi_bool(0,true);
if (bIn) lua_pushi_bool(1,true);
lua_pop(L,3);
else
DLOG("instance cutoff requested for '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);
}
else
DLOG("instance cutoff requested for '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);
LUA_STACK_GUARD_RETURN(L,0)
}
@@ -705,6 +779,102 @@ bool lua_instance_cutoff_check(const t_lua_desync_context *ctx, bool bIn)
return b;
}
static int luacall_lua_cutoff(lua_State *L)
{
lua_check_argc_range(L,"lua_cutoff",1,2);
LUA_STACK_GUARD_ENTER(L)
t_lua_desync_context *ctx;
if (!lua_islightuserdata(L,1))
luaL_error(L, "lua_cutoff expect desync context in the first argument");
ctx = lua_touserdata(L,1);
int argc=lua_gettop(L);
bool bIn,bOut;
if (argc>=2 && lua_type(L,2)!=LUA_TNIL)
{
luaL_checktype(L,2,LUA_TBOOLEAN);
bOut = lua_toboolean(L,2);
bIn = !bOut;
}
else
bIn = bOut = true;
if (ctx->ctrack)
{
DLOG("lua cutoff from '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
// lua cutoff is one way transition
if (bIn) ctx->ctrack->b_lua_in_cutoff = true;
if (bOut) ctx->ctrack->b_lua_out_cutoff = true;
}
else
DLOG("lua cutoff requested from '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);
LUA_STACK_GUARD_RETURN(L,0)
}
static int luacall_execution_plan(lua_State *L)
{
lua_check_argc(L,"execution_plan",1);
LUA_STACK_GUARD_ENTER(L)
const t_lua_desync_context *ctx;
if (!lua_islightuserdata(L,1))
luaL_error(L, "execution_plan expect desync context in the first argument");
ctx = lua_touserdata(L,1);
lua_newtable(L);
struct func_list *func;
char instance[256], pls[2048];
struct packet_range *range;
unsigned int n=1;
LIST_FOREACH(func, &ctx->dp->lua_desync, next)
{
if (n > ctx->func_n)
{
desync_instance(func->func, ctx->dp->n, n, instance, sizeof(instance));
range = ctx->incoming ? &func->range_in : &func->range_out;
lua_pushinteger(params.L, n - ctx->func_n);
lua_createtable(params.L, 0, 6);
lua_pushf_args(&func->args, -1, false);
lua_pushf_str("func", func->func);
lua_pushf_int("func_n", ctx->func_n);
lua_pushf_str("func_instance", instance);
lua_pushf_range("range", range);
if (l7_payload_str_list(func->payload_type, pls, sizeof(pls)))
lua_pushf_str("payload_filter", pls);
else
lua_pushf_nil("payload_filter");
lua_rawset(params.L,-3);
}
n++;
}
LUA_STACK_GUARD_RETURN(L,1)
}
static int luacall_execution_plan_cancel(lua_State *L)
{
lua_check_argc(L,"execution_plan_cancel",1);
t_lua_desync_context *ctx;
if (!lua_islightuserdata(L,1))
luaL_error(L, "execution_plan_cancel expect desync context in the first argument");
ctx = lua_touserdata(L,1);
DLOG("execution plan cancel from '%s'\n",ctx->instance);
ctx->cancel = true;
return 0;
}
static int luacall_raw_packet(lua_State *L)
{
lua_check_argc(L,"raw_packet",1);
@@ -738,13 +908,37 @@ void lua_pushi_nil(lua_Integer idx)
void lua_pushf_int(const char *field, lua_Integer v)
{
lua_pushstring(params.L, field);
lua_pushinteger(params.L, v);
lua_pushlint(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushi_int(lua_Integer idx, lua_Integer v)
{
lua_pushinteger(params.L, idx);
lua_pushinteger(params.L, v);
lua_pushlint(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushf_lint(const char *field, int64_t v)
{
lua_pushstring(params.L, field);
lua_pushlint(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushi_lint(lua_Integer idx, int64_t v)
{
lua_pushinteger(params.L, idx);
lua_pushlint(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushf_number(const char *field, lua_Number v)
{
lua_pushstring(params.L, field);
lua_pushnumber(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushi_number(lua_Integer idx, lua_Number v)
{
lua_pushinteger(params.L, idx);
lua_pushnumber(params.L, v);
lua_rawset(params.L,-3);
}
void lua_pushf_bool(const char *field, bool b)
@@ -771,6 +965,18 @@ void lua_pushi_str(lua_Integer idx, const char *str)
lua_pushstring(params.L, str); // pushes nil if str==NULL
lua_rawset(params.L,-3);
}
void lua_pushf_lstr(const char *field, const char *str, size_t size)
{
lua_pushstring(params.L, field);
lua_pushlstring(params.L, str, size);
lua_rawset(params.L,-3);
}
void lua_pushi_lstr(lua_Integer idx, const char *str, size_t size)
{
lua_pushinteger(params.L, idx);
lua_pushlstring(params.L, str, size);
lua_rawset(params.L,-3);
}
void lua_push_raw(const void *v, size_t l)
{
if (v)
@@ -889,8 +1095,8 @@ void lua_pushf_tcphdr(const struct tcphdr *tcp, size_t len)
lua_createtable(params.L, 0, 11);
lua_pushf_int("th_sport",ntohs(tcp->th_sport));
lua_pushf_int("th_dport",ntohs(tcp->th_dport));
lua_pushf_int("th_seq",ntohl(tcp->th_seq));
lua_pushf_int("th_ack",ntohl(tcp->th_ack));
lua_pushf_lint("th_seq",ntohl(tcp->th_seq));
lua_pushf_lint("th_ack",ntohl(tcp->th_ack));
lua_pushf_int("th_x2",tcp->th_x2);
lua_pushf_int("th_off",tcp->th_off);
lua_pushf_int("th_flags",tcp->th_flags);
@@ -1025,8 +1231,8 @@ void lua_pushf_ip6hdr(const struct ip6_hdr *ip6, size_t len)
if (ip6)
{
lua_createtable(params.L, 0, 7);
lua_pushf_int("ip6_flow",ntohl(ip6->ip6_ctlun.ip6_un1.ip6_un1_flow));
lua_pushf_int("ip6_plen",ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen));
lua_pushf_lint("ip6_flow",ntohl(ip6->ip6_ctlun.ip6_un1.ip6_un1_flow));
lua_pushf_lint("ip6_plen",ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen));
lua_pushf_int("ip6_nxt",ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt);
lua_pushf_int("ip6_hlim",ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim);
lua_pushf_raw("ip6_src",&ip6->ip6_src,sizeof(struct in6_addr));
@@ -1066,21 +1272,44 @@ void lua_pushf_dissect(const struct dissect *dis)
lua_rawset(params.L,-3);
}
void lua_pushf_ctrack(const t_ctrack *ctrack)
void lua_pushf_ctrack_pos(const t_ctrack *ctrack, const t_ctrack_position *pos)
{
LUA_STACK_GUARD_ENTER(params.L)
lua_pushf_lint("pcounter", pos->pcounter);
lua_pushf_lint("pdcounter", pos->pdcounter);
lua_pushf_lint("pbcounter", pos->pbcounter);
if (ctrack->ipproto == IPPROTO_TCP)
{
lua_pushliteral(params.L, "tcp");
lua_createtable(params.L, 0, 10);
lua_pushf_lint("seq0", pos->seq0);
lua_pushf_lint("seq", pos->seq_last);
lua_pushf_lint("rseq", pos->seq_last - pos->seq0);
lua_pushf_int("pos", pos->pos - pos->seq0);
lua_pushf_int("uppos", pos->uppos - pos->seq0);
lua_pushf_int("uppos_prev", pos->uppos_prev - pos->seq0);
lua_pushf_int("winsize", pos->winsize);
lua_pushf_int("winsize_calc", pos->winsize_calc);
lua_pushf_int("scale", pos->scale);
lua_pushf_int("mss", pos->mss);
lua_rawset(params.L,-3);
}
LUA_STACK_GUARD_LEAVE(params.L, 0)
}
void lua_pushf_ctrack(const t_ctrack *ctrack, const t_ctrack_positions *tpos, bool bIncoming)
{
LUA_STACK_GUARD_ENTER(params.L)
if (!tpos) tpos = &ctrack->pos;
lua_pushliteral(params.L, "track");
if (ctrack)
{
lua_createtable(params.L, 0, 13 + (ctrack->ipproto == IPPROTO_TCP));
lua_createtable(params.L, 0, 9);
lua_pushf_int("pcounter_orig", ctrack->pcounter_orig);
lua_pushf_int("pdcounter_orig", ctrack->pdcounter_orig);
lua_pushf_int("pbcounter_orig", ctrack->pbcounter_orig);
lua_pushf_int("pcounter_reply", ctrack->pcounter_reply);
lua_pushf_int("pdcounter_reply", ctrack->pdcounter_reply);
lua_pushf_int("pbcounter_reply", ctrack->pbcounter_reply);
if (ctrack->incoming_ttl)
lua_pushf_int("incoming_ttl", ctrack->incoming_ttl);
else
@@ -1091,27 +1320,38 @@ void lua_pushf_ctrack(const t_ctrack *ctrack)
lua_pushf_reg("lua_state", ctrack->lua_state);
lua_pushf_bool("lua_in_cutoff", ctrack->b_lua_in_cutoff);
lua_pushf_bool("lua_out_cutoff", ctrack->b_lua_out_cutoff);
lua_pushf_lint("t_start", (lua_Number)ctrack->t_start.tv_sec + ctrack->t_start.tv_nsec/1000000000.);
if (ctrack->ipproto == IPPROTO_TCP)
{
lua_pushliteral(params.L, "tcp");
lua_createtable(params.L, 0, 14);
lua_pushf_int("seq0", ctrack->seq0);
lua_pushf_int("seq", ctrack->seq_last);
lua_pushf_int("ack0", ctrack->ack0);
lua_pushf_int("ack", ctrack->ack_last);
lua_pushf_int("pos_orig", ctrack->pos_orig - ctrack->seq0);
lua_pushf_int("winsize_orig", ctrack->winsize_orig);
lua_pushf_int("winsize_orig_calc", ctrack->winsize_orig_calc);
lua_pushf_int("scale_orig", ctrack->scale_orig);
lua_pushf_int("mss_orig", ctrack->mss_orig);
lua_pushf_int("pos_reply", ctrack->pos_reply - ctrack->ack0);
lua_pushf_int("winsize_reply", ctrack->winsize_reply);
lua_pushf_int("winsize_reply_calc", ctrack->winsize_reply_calc);
lua_pushf_int("scale_reply", ctrack->scale_reply);
lua_pushf_int("mss_reply", ctrack->mss_reply);
lua_rawset(params.L,-3);
}
lua_pushliteral(params.L, "pos");
lua_createtable(params.L, 0, 5);
// orig, reply related to connection logical direction
// for tcp orig is client (who connects), reply is server (who listens).
// for orig is the first seen party, reply is another party
lua_pushf_number("dt",
(lua_Number)tpos->t_last.tv_sec - (lua_Number)ctrack->t_start.tv_sec +
(tpos->t_last.tv_nsec - ctrack->t_start.tv_nsec)/1000000000.);
lua_pushliteral(params.L, "client");
lua_newtable(params.L);
lua_pushf_ctrack_pos(ctrack, &tpos->client);
lua_rawset(params.L,-3);
lua_pushliteral(params.L, "server");
lua_newtable(params.L);
lua_pushf_ctrack_pos(ctrack, &tpos->server);
lua_rawset(params.L,-3);
// direct and reverse are adjusted for server mode. in server mode orig and reply are exchanged.
lua_pushliteral(params.L, "direct");
lua_getfield(params.L, -2, (params.server ^ bIncoming) ? "server" : "client");
lua_rawset(params.L,-3);
lua_pushliteral(params.L, "reverse");
lua_getfield(params.L, -2, (params.server ^ bIncoming) ? "client" : "server");
lua_rawset(params.L,-3);
lua_rawset(params.L,-3);
}
else
lua_pushnil(params.L);
@@ -1120,7 +1360,7 @@ void lua_pushf_ctrack(const t_ctrack *ctrack)
LUA_STACK_GUARD_LEAVE(params.L, 0)
}
void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
void lua_pushf_args(const struct str2_list_head *args, int idx_desync, bool subst_prefix)
{
// var=val - pass val string
// var=%val - subst 'val' blob
@@ -1130,7 +1370,7 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
LUA_STACK_GUARD_ENTER(params.L)
struct ptr_list *arg;
struct str2_list *arg;
const char *var, *val;
idx_desync = lua_absindex(params.L, idx_desync);
@@ -1139,19 +1379,24 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
lua_newtable(params.L);
LIST_FOREACH(arg, args, next)
{
var = (char*)arg->ptr1;
val = arg->ptr2 ? (char*)arg->ptr2 : "";
if (val[0]=='\\' && (val[1]=='%' || val[1]=='#'))
// escape char
lua_pushf_str(var, val+1);
else if (val[0]=='%')
lua_pushf_blob(idx_desync, var, val+1);
else if (val[0]=='#')
var = arg->str1;
val = arg->str2 ? arg->str2 : "";
if (subst_prefix)
{
lua_push_blob(idx_desync, val+1);
lua_Integer len = lua_rawlen(params.L, -1);
lua_pop(params.L,1);
lua_pushf_int(var, len);
if (val[0]=='\\' && (val[1]=='%' || val[1]=='#'))
// escape char
lua_pushf_str(var, val+1);
else if (val[0]=='%')
lua_pushf_blob(idx_desync, var, val+1);
else if (val[0]=='#')
{
lua_push_blob(idx_desync, val+1);
lua_Integer len = lua_rawlen(params.L, -1);
lua_pop(params.L,1);
lua_pushf_int(var, len);
}
else
lua_pushf_str(var, val);
}
else
lua_pushf_str(var, val);
@@ -1160,7 +1405,33 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
LUA_STACK_GUARD_LEAVE(params.L, 0)
}
void lua_pushf_pos(const char *name, const struct packet_pos *pos)
{
LUA_STACK_GUARD_ENTER(params.L)
char smode[2]="?";
lua_pushf_table(name);
lua_getfield(params.L,-1,name);
*smode=pos->mode;
lua_pushf_str("mode",smode);
lua_pushf_lint("pos",pos->pos);
lua_pop(params.L,1);
LUA_STACK_GUARD_LEAVE(params.L, 0)
}
void lua_pushf_range(const char *name, const struct packet_range *range)
{
LUA_STACK_GUARD_ENTER(params.L)
lua_pushf_table(name);
lua_getfield(params.L,-1,"range");
lua_pushf_bool("upper_cutoff",range->upper_cutoff);
lua_pushf_pos("from", &range->from);
lua_pushf_pos("to", &range->to);
lua_pop(params.L,1);
LUA_STACK_GUARD_LEAVE(params.L, 0)
}
static void lua_reconstruct_extract_options(lua_State *L, int idx, bool *badsum, bool *ip6_preserve_next, uint8_t *ip6_last_proto)
@@ -1277,7 +1548,7 @@ bool lua_reconstruct_ip6hdr(int idx, struct ip6_hdr *ip6, size_t *len, uint8_t l
idx = lua_absindex(params.L, idx);
lua_getfield(params.L,idx,"ip6_flow");
ip6->ip6_ctlun.ip6_un1.ip6_un1_flow = htonl(lua_type(params.L,-1)==LUA_TNUMBER ? (uint32_t)lua_tointeger(params.L,-1) : 0x60000000);
ip6->ip6_ctlun.ip6_un1.ip6_un1_flow = htonl(lua_type(params.L,-1)==LUA_TNUMBER ? (uint32_t)lua_tolint(params.L,-1) : 0x60000000);
lua_pop(params.L, 1);
lua_getfield(params.L,idx,"ip6_plen");
@@ -1537,12 +1808,12 @@ bool lua_reconstruct_tcphdr(int idx, struct tcphdr *tcp, size_t *len)
lua_getfield(params.L,idx,"th_seq");
if (lua_type(params.L,-1)!=LUA_TNUMBER) goto err;
tcp->th_seq = htonl((uint32_t)lua_tointeger(params.L,-1));
tcp->th_seq = htonl((uint32_t)lua_tolint(params.L,-1));
lua_pop(params.L, 1);
lua_getfield(params.L,idx,"th_ack");
if (lua_type(params.L,-1)!=LUA_TNUMBER) goto err;
tcp->th_ack = htonl((uint32_t)lua_tointeger(params.L,-1));
tcp->th_ack = htonl((uint32_t)lua_tolint(params.L,-1));
lua_pop(params.L, 1);
lua_getfield(params.L,idx,"th_x2");
@@ -2017,7 +2288,7 @@ static void lua_rawsend_extract_options(lua_State *L, int idx, int *repeats, uin
if (fwmark)
{
lua_getfield(L,idx,"fwmark");
*fwmark=(uint32_t)lua_tointeger(L,-1) | params.desync_fwmark;
*fwmark=(uint32_t)lua_tolint(L,-1) | params.desync_fwmark;
lua_pop(L,1);
}
if (ifout)
@@ -2663,6 +2934,21 @@ static void lua_init_const(void)
{
LUA_STACK_GUARD_ENTER(params.L)
const struct
{
const char *name, *v;
} cstr[] = {
{"NFQWS2_VER",params.verstr}
};
DLOG("LUA STR:");
for (int i=0;i<sizeof(cstr)/sizeof(*cstr);i++)
{
lua_pushstring(params.L, cstr[i].v);
lua_setglobal(params.L, cstr[i].name);
DLOG(" %s", cstr[i].name);
}
const struct
{
const char *name;
@@ -2674,6 +2960,7 @@ static void lua_init_const(void)
{"divert_port",params.port},
#endif
{"desync_fwmark",params.desync_fwmark},
{"NFQWS2_COMPAT_VER",LUA_COMPAT_VER},
{"VERDICT_PASS",VERDICT_PASS},
{"VERDICT_MODIFY",VERDICT_MODIFY},
@@ -2735,7 +3022,7 @@ static void lua_init_const(void)
{"IPPROTO_SHIM6",IPPROTO_SHIM6},
{"IPPROTO_NONE",IPPROTO_NONE}
};
DLOG("LUA NUMERIC:");
DLOG("\nLUA NUMERIC:");
for (int i=0;i<sizeof(cuint)/sizeof(*cuint);i++)
{
lua_pushinteger(params.L, (lua_Integer)cuint[i].v);
@@ -2803,6 +3090,11 @@ static void lua_init_functions(void)
{"u16",luacall_u16},
{"u24",luacall_u24},
{"u32",luacall_u32},
// add any number of arguments as they would be unsigned int of specific size
{"u8add",luacall_u8add},
{"u16add",luacall_u16add},
{"u24add",luacall_u24add},
{"u32add",luacall_u32add},
// convert number to blob (string) - big endian
{"bu8",luacall_bu8},
{"bu16",luacall_bu16},
@@ -2836,6 +3128,12 @@ static void lua_init_functions(void)
// voluntarily stop receiving packets
{"instance_cutoff",luacall_instance_cutoff},
// voluntarily stop receiving packets of the current connection for all instances
{"lua_cutoff",luacall_lua_cutoff},
// get info about upcoming desync instances and their arguments
{"execution_plan",luacall_execution_plan},
// cancel execution of upcoming desync instances and their arguments
{"execution_plan_cancel",luacall_execution_plan_cancel},
// get raw packet data
{"raw_packet",luacall_raw_packet},

31
nfq2/lua.h
View File

@@ -22,12 +22,27 @@
#define LUA_UNSIGNED uint64_t
#endif
// in old lua integer is 32 bit on 32 bit platforms and 64 bit on 64 bit platforms
#if LUA_VERSION_NUM < 503 && __SIZEOF_POINTER__==4
#define lua_pushlint lua_pushnumber
#define lua_tolint lua_tonumber
#define luaL_checklint luaL_checknumber
#else
#define lua_pushlint lua_pushinteger
#define luaL_checklint luaL_checkinteger
#define lua_tolint lua_tointeger
#endif
// pushing and not popping inside luacall cause memory leak
// these macros ensure correct stack position or throw error if not
#define LUA_STACK_GUARD_ENTER(L) int _lsg=lua_gettop(L);
#define LUA_STACK_GUARD_LEAVE(L,N) if ((_lsg+N)!=lua_gettop(L)) luaL_error(L,"stack guard failure");
#define LUA_STACK_GUARD_RETURN(L,N) LUA_STACK_GUARD_LEAVE(L,N); return N;
void desync_instance(const char *func, unsigned int dp_n, unsigned int func_n, char *instance, size_t inst_size);
bool lua_test_init_script_files(void);
bool lua_init(void);
void lua_shutdown(void);
@@ -48,8 +63,14 @@ void lua_pushf_bool(const char *field, bool b);
void lua_pushi_bool(lua_Integer idx, bool b);
void lua_pushf_str(const char *field, const char *str);
void lua_pushi_str(lua_Integer idx, const char *str);
void lua_pushf_lstr(const char *field, const char *str, size_t len);
void lua_pushi_lstr(lua_Integer idx, const char *str, size_t len);
void lua_pushf_int(const char *field, lua_Integer v);
void lua_pushi_int(lua_Integer idx, lua_Integer v);
void lua_pushf_lint(const char *field, int64_t v);
void lua_pushi_lint(lua_Integer idx, int64_t v);
void lua_pushf_number(const char *field, lua_Number v);
void lua_pushi_number(lua_Integer idx, lua_Number v);
void lua_push_raw(const void *v, size_t l);
void lua_pushf_raw(const char *field, const void *v, size_t l);
void lua_pushi_raw(lua_Integer idx, const void *v, size_t l);
@@ -68,8 +89,10 @@ void lua_pushf_iphdr(const struct ip *ip, size_t len);
void lua_pushf_ip6hdr(const struct ip6_hdr *ip6, size_t len);
void lua_push_dissect(const struct dissect *dis);
void lua_pushf_dissect(const struct dissect *dis);
void lua_pushf_ctrack(const t_ctrack *ctrack);
void lua_pushf_args(const struct ptr_list_head *args, int idx_desync);
void lua_pushf_ctrack(const t_ctrack *ctrack, const t_ctrack_positions *tpos, bool bIncoming);
void lua_pushf_args(const struct str2_list_head *args, int idx_desync, bool subst_prefix);
void lua_pushf_pos(const char *name, const struct packet_pos *pos);
void lua_pushf_range(const char *name, const struct packet_range *range);
void lua_pushf_global(const char *field, const char *global);
bool lua_reconstruct_ip6hdr(int idx, struct ip6_hdr *ip6, size_t *len, uint8_t last_proto, bool preserve_next);
@@ -79,10 +102,12 @@ bool lua_reconstruct_udphdr(int idx, struct udphdr *udp);
bool lua_reconstruct_dissect(int idx, uint8_t *buf, size_t *len, bool badsum, bool ip6_preserve_next);
typedef struct {
unsigned int func_n;
const char *func, *instance;
const struct desync_profile *dp;
const t_ctrack *ctrack;
const struct dissect *dis;
t_ctrack *ctrack;
bool incoming,cancel;
} t_lua_desync_context;
bool lua_instance_cutoff_check(const t_lua_desync_context *ctx, bool bIn);

269
nfq2/nfqws.c
View File

@@ -48,11 +48,6 @@
#define NF_ACCEPT 1
#endif
#define CTRACK_T_SYN 60
#define CTRACK_T_FIN 60
#define CTRACK_T_EST 300
#define CTRACK_T_UDP 60
#define MAX_CONFIG_FILE_SIZE 16384
struct params_s params;
@@ -99,7 +94,7 @@ static void onusr2(int sig)
struct desync_profile_list *dpl;
LIST_FOREACH(dpl, &params.desync_profiles, next)
{
printf("\nDESYNC profile %u\n", dpl->dp.n);
printf("\nDESYNC profile %u (%s)\n", dpl->dp.n, PROFILE_NAME(&dpl->dp));
HostFailPoolDump(dpl->dp.hostlist_auto_fail_counters);
}
printf("\nIPCACHE\n");
@@ -1007,27 +1002,28 @@ static bool parse_pf_list(char *opt, struct port_filters_head *pfl)
return true;
}
bool lua_call_param_add(char *opt, struct ptr_list_head *args)
bool lua_call_param_add(char *opt, struct str2_list_head *args)
{
char c,*p;
struct ptr_list *arg;
struct str2_list *arg;
if ((p = strchr(opt,'=')))
{
c = *p; *p = 0;
}
if (!is_identifier(opt) || !(arg=ptrlist_add(args)))
if (!is_identifier(opt) || !(arg=str2list_add(args)))
{
if (p) *p = c;
return false;
}
arg->ptr1 = strdup(opt);
arg->str1 = strdup(opt);
if (p)
{
arg->ptr2 = strdup(p+1);
arg->str2 = strdup(p+1);
*p = c;
if (!arg->str2) return false;
}
return arg->ptr1;
return !!arg->str1;
}
struct func_list *parse_lua_call(char *opt, struct func_list_head *flist)
@@ -1053,7 +1049,6 @@ struct func_list *parse_lua_call(char *opt, struct func_list_head *flist)
last = !*e;
c = *e;
*e = 0;
b = lua_call_param_add(p, &f->args);
if (!last) *e++ = c;
if (!b) goto err;
@@ -1156,21 +1151,21 @@ static void BlobDebug()
}
}
static void LuaDesyncDebug(struct desync_profile *dp)
static void LuaDesyncDebug(struct desync_profile *dp, const char *entity)
{
if (params.debug)
{
struct func_list *func;
struct ptr_list *arg;
struct str2_list *arg;
int n,i;
LIST_FOREACH(func, &dp->lua_desync, next)
{
DLOG("profile %u lua %s(",dp->n,func->func);
DLOG("%s %u (%s) lua %s(",entity,dp->n,PROFILE_NAME(dp),func->func);
n=0;
LIST_FOREACH(arg, &func->args, next)
{
if (n) DLOG(",");
DLOG(arg->ptr2 ? "%s=\"%s\"" : "%s=\"\"", (char*)arg->ptr1, (char*)arg->ptr2);
DLOG(arg->str2 ? "%s=\"%s\"" : "%s=\"\"", arg->str1, arg->str2);
n++;
}
DLOG(" range_in=%c%u%c%c%u range_out=%c%u%c%c%u payload_type=",
@@ -1288,8 +1283,10 @@ static bool wf_make_filter(
if (bHaveTCP)
{
if (dp_list_have_autohostlist(&params.desync_profiles))
snprintf(wf + strlen(wf), len - strlen(wf), " or\n " DIVERT_HTTP_REDIRECT);
// may be required by orchestrators - always redirect
// if (dp_list_have_autohostlist(&params.desync_profiles))
snprintf(wf + strlen(wf), len - strlen(wf), " or\n " DIVERT_HTTP_REDIRECT);
}
if (!LIST_EMPTY(wf_raw_part))
@@ -1412,8 +1409,12 @@ static void exithelp(void)
" --lua-init=@<filename>|<lua_text>\t\t\t; load LUA program from a file or string. if multiple parameters present order of execution is preserved.\n"
" --lua-gc=<int>\t\t\t\t\t\t; forced garbage collection every N sec. default %u sec. triggers only when a packet arrives. 0 = disable.\n"
"\nMULTI-STRATEGY:\n"
" --new\t\t\t\t\t\t\t; begin new strategy\n"
" --skip\t\t\t\t\t\t\t; do not use this strategy\n"
" --new\t\t\t\t\t\t\t; begin new profile\n"
" --skip\t\t\t\t\t\t\t; do not use this profile\n"
" --name=<name>\t\t\t\t\t\t; set profile name\n"
" --template[=<name>]\t\t\t\t\t; use this profile as template (must be named or will be useless)\n"
" --cookie[=<string>]\t\t\t\t\t; pass this profile-bound string to LUA\n"
" --import=<name>\t\t\t\t\t; populate current profile with template data\n"
" --filter-l3=ipv4|ipv6\t\t\t\t\t; L3 protocol filter. multiple comma separated values allowed.\n"
" --filter-tcp=[~]port1[-port2]|*\t\t\t; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list allowed.\n"
" --filter-udp=[~]port1[-port2]|*\t\t\t; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list allowed.\n"
@@ -1433,11 +1434,15 @@ static void exithelp(void)
" --hostlist-auto-fail-threshold=<int>\t\t\t; how many failed attempts cause hostname to be added to auto hostlist (default : %d)\n"
" --hostlist-auto-fail-time=<int>\t\t\t; all failed attemps must be within these seconds (default : %d)\n"
" --hostlist-auto-retrans-threshold=<int>\t\t; how many request retransmissions cause attempt to fail (default : %d)\n"
" --hostlist-auto-retrans-maxseq=<int>\t\t\t; count retransmissions only within this relative sequence (default : %u)\n"
" --hostlist-auto-incoming-maxseq=<int>\t\t\t; treat tcp connection as successful if incoming relative sequence exceedes this threshold (default : %u)\n"
" --hostlist-auto-udp-out=<int>\t\t\t\t; udp failure condition : sent at least `udp_out` packets (default : %u)\n"
" --hostlist-auto-udp-in=<int>\t\t\t\t; udp failure condition : received not more than `udp_in` packets (default : %u)\n"
" --hostlist-auto-debug=<logfile>\t\t\t; debug auto hostlist positives (global parameter)\n"
"\nLUA PACKET PASS MODE:\n"
" --payload=type[,type]\t\t\t\t\t; set payload types following LUA functions should process : %s\n"
" --out-range=[(n|a|d|s)<int>](-|<)[(n|a|d|s)<int>]\t; set outgoing packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, b - byte count, x - never, a - always\n"
" --in-range=[(n|a|d|s)<int>](-|<)[(n|a|d|s)<int>]\t; set incoming packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, b - byte count, x - never, a - always\n"
" --out-range=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]\t; set outgoing packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, p - data position relative sequence, b - byte count, x - never, a - always\n"
" --in-range=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]\t; set incoming packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, p - data position relative sequence, b - byte count, x - never, a - always\n"
"\nLUA DESYNC ACTION:\n"
" --lua-desync=<functon>[:param1=val1[:param2=val2]]\t; call LUA function when packet received\n",
#if defined(__linux__) || defined(SO_USER_COOKIE)
@@ -1447,7 +1452,10 @@ static void exithelp(void)
IPCACHE_LIFETIME,
LUA_GC_INTERVAL,
all_protos,
HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT, HOSTLIST_AUTO_FAIL_TIME_DEFAULT, HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT,
HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT, HOSTLIST_AUTO_FAIL_TIME_DEFAULT,
HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT,
HOSTLIST_AUTO_RETRANS_MAXSEQ, HOSTLIST_AUTO_INCOMING_MAXSEQ,
HOSTLIST_AUTO_UDP_OUT, HOSTLIST_AUTO_UDP_IN,
all_payloads
);
exit(1);
@@ -1500,22 +1508,6 @@ static void ApplyDefaultBlobs(struct blob_collection_head *blobs)
load_const_blob_to_collection("fake_default_quic",buf,620,blobs,0);
}
#define STRINGIFY(x) #x
#define TOSTRING(x) STRINGIFY(x)
#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
#ifdef __ANDROID__
#define PRINT_VER printf("github android version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
#else
#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
#endif
#else
#ifdef __ANDROID__
#define PRINT_VER printf("self-built android version %s %s\n\n", __DATE__, __TIME__)
#else
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
#endif
enum opt_indices {
IDX_DEBUG,
IDX_DRY_RUN,
@@ -1560,9 +1552,17 @@ enum opt_indices {
IDX_HOSTLIST_AUTO_FAIL_THRESHOLD,
IDX_HOSTLIST_AUTO_FAIL_TIME,
IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD,
IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ,
IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ,
IDX_HOSTLIST_AUTO_UDP_IN,
IDX_HOSTLIST_AUTO_UDP_OUT,
IDX_HOSTLIST_AUTO_DEBUG,
IDX_NEW,
IDX_SKIP,
IDX_NAME,
IDX_TEMPLATE,
IDX_IMPORT,
IDX_COOKIE,
IDX_FILTER_L3,
IDX_FILTER_TCP,
IDX_FILTER_UDP,
@@ -1640,9 +1640,17 @@ static const struct option long_options[] = {
[IDX_HOSTLIST_AUTO_FAIL_THRESHOLD] = {"hostlist-auto-fail-threshold", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_FAIL_TIME] = {"hostlist-auto-fail-time", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD] = {"hostlist-auto-retrans-threshold", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ] = {"hostlist-auto-retrans-maxseq", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ] = {"hostlist-auto-incoming-maxseq", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_UDP_IN] = {"hostlist-auto-udp-in", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_UDP_OUT] = {"hostlist-auto-udp-out", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0},
[IDX_NEW] = {"new", no_argument, 0, 0},
[IDX_SKIP] = {"skip", no_argument, 0, 0},
[IDX_NAME] = {"name", required_argument, 0, 0},
[IDX_TEMPLATE] = {"template", optional_argument, 0, 0},
[IDX_IMPORT] = {"import", required_argument, 0, 0},
[IDX_COOKIE] = {"cookie", required_argument, 0, 0},
[IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0},
[IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0},
[IDX_FILTER_UDP] = {"filter-udp", required_argument, 0, 0},
@@ -1679,16 +1687,26 @@ static const struct option long_options[] = {
[IDX_LAST] = {NULL, 0, NULL, 0},
};
#define STRINGIFY(x) #x
#define TOSTRING(x) STRINGIFY(x)
#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
#ifdef __ANDROID__
#define MAKE_VER(s,size) snprintf(s,size,"github android version %s (%s) lua_compat_ver %u", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH), LUA_COMPAT_VER)
#else
#define MAKE_VER(s,size) snprintf(s,size,"github version %s (%s) lua_compat_ver %u", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH), LUA_COMPAT_VER)
#endif
#else
#ifdef __ANDROID__
#define MAKE_VER(s,size) snprintf(s,size,"self-built android version %s %s lua_compat_ver %u", __DATE__, __TIME__, LUA_COMPAT_VER)
#else
#define MAKE_VER(s,size) snprintf(s,size,"self-built version %s %s lua_compat_ver %u", __DATE__, __TIME__, LUA_COMPAT_VER)
#endif
#endif
int main(int argc, char **argv)
{
if (argc < 2) exithelp();
aes_init_keygen_tables(); // required for aes
set_console_io_buffering();
set_env_exedir(argv[0]);
#ifdef __CYGWIN__
prepare_low_appdata();
if (service_run(argc, argv))
{
// we were running as service. now exit.
@@ -1697,7 +1715,7 @@ int main(int argc, char **argv)
#endif
int result, v;
int option_index = 0;
bool bSkip = false, bDry = false;
bool bSkip = false, bDry = false, bTemplate;
struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
uint64_t payload_type=0;
@@ -1709,17 +1727,29 @@ int main(int argc, char **argv)
unsigned int hash_wf_tcp_in = 0, hash_wf_udp_in = 0, hash_wf_tcp_out = 0, hash_wf_udp_out = 0, hash_wf_raw = 0, hash_wf_raw_part = 0, hash_ssid_filter = 0, hash_nlm_filter = 0;
#endif
if (argc < 2) exithelp();
srandom(time(NULL));
aes_init_keygen_tables(); // required for aes
mask_from_preflen6_prepare();
set_env_exedir(argv[0]);
set_console_io_buffering();
#ifdef __CYGWIN__
prepare_low_appdata();
#endif
PRINT_VER;
init_params(&params);
memset(&params, 0, sizeof(params));
MAKE_VER(params.verstr, sizeof(params.verstr));
printf("%s\n\n",params.verstr);
ApplyDefaultBlobs(&params.blobs);
struct desync_profile_list *dpl;
struct desync_profile *dp;
unsigned int desync_profile_count = 0;
unsigned int desync_profile_count = 0, desync_template_count = 0;
bTemplate = false;
if (!(dpl = dp_list_add(&params.desync_profiles)))
{
DLOG_ERR("desync_profile_add: out of memory\n");
@@ -1728,39 +1758,6 @@ int main(int argc, char **argv)
dp = &dpl->dp;
dp->n = ++desync_profile_count;
#ifdef __linux__
params.qnum = -1;
#elif defined(BSD)
params.port = 0;
#endif
params.desync_fwmark = DPI_DESYNC_FWMARK_DEFAULT;
params.ctrack_t_syn = CTRACK_T_SYN;
params.ctrack_t_est = CTRACK_T_EST;
params.ctrack_t_fin = CTRACK_T_FIN;
params.ctrack_t_udp = CTRACK_T_UDP;
params.ipcache_lifetime = IPCACHE_LIFETIME;
params.lua_gc = LUA_GC_INTERVAL;
LIST_INIT(&params.hostlists);
LIST_INIT(&params.ipsets);
LIST_INIT(&params.blobs);
LIST_INIT(&params.lua_init_scripts);
ApplyDefaultBlobs(&params.blobs);
#ifdef __CYGWIN__
LIST_INIT(&params.ssid_filter);
LIST_INIT(&params.nlm_filter);
LIST_INIT(&params.wf_raw_part);
#else
if (can_drop_root())
{
params.uid = params.gid[0] = 0x7FFFFFFF; // default uid:gid
params.gid_count = 1;
params.droproot = true;
}
#endif
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
if (argc >= 2 && (argv[1][0] == '@' || argv[1][0] == '$'))
{
@@ -2095,6 +2092,18 @@ int main(int argc, char **argv)
exit_clean(1);
}
break;
case IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ:
dp->hostlist_auto_retrans_maxseq = (uint32_t)atoi(optarg);
break;
case IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ:
dp->hostlist_auto_incoming_maxseq = (uint32_t)atoi(optarg);
break;
case IDX_HOSTLIST_AUTO_UDP_OUT:
dp->hostlist_auto_udp_out = atoi(optarg);
break;
case IDX_HOSTLIST_AUTO_UDP_IN:
dp->hostlist_auto_udp_in = atoi(optarg);
break;
case IDX_HOSTLIST_AUTO_DEBUG:
{
FILE *F = fopen(optarg, "a+t");
@@ -2120,23 +2129,83 @@ int main(int argc, char **argv)
else
{
check_dp(dp);
if (bTemplate)
{
if (dp->name && dp_list_search_name(&params.desync_templates, dp->name))
{
DLOG_ERR("template '%s' already present\n", dp->name);
exit_clean(1);
}
dpl->dp.n = ++desync_template_count;
dp_list_move(&params.desync_templates, dpl);
}
else
{
desync_profile_count++;
}
if (!(dpl = dp_list_add(&params.desync_profiles)))
{
DLOG_ERR("desync_profile_add: out of memory\n");
exit_clean(1);
}
dp = &dpl->dp;
dp->n = ++desync_profile_count;
dp->n = desync_profile_count;
}
anon_hl = anon_hl_exclude = NULL;
anon_ips = anon_ips_exclude = NULL;
payload_type = 0;
range_in = PACKET_RANGE_NEVER;
range_out = PACKET_RANGE_ALWAYS;
bTemplate = false;
break;
case IDX_SKIP:
bSkip = true;
break;
case IDX_TEMPLATE:
bTemplate = true;
case IDX_NAME:
if (optarg)
{
free(dp->name);
if (!(dp->name = strdup(optarg)))
{
DLOG_ERR("out of memory\n");
exit_clean(1);
}
}
break;
case IDX_COOKIE:
free(dp->cookie);
if (!(dp->cookie = strdup(optarg)))
{
DLOG_ERR("out of memory\n");
exit_clean(1);
}
break;
case IDX_IMPORT:
{
struct desync_profile_list *tpl = dp_list_search_name(&params.desync_templates, optarg);
if (!tpl)
{
DLOG_ERR("template '%s' not found\n", optarg);
exit_clean(1);
}
if (!dp_list_copy(dp, &tpl->dp))
{
DLOG_ERR("could not copy template\n");
exit_clean(1);
}
dp->n = desync_profile_count;
free(dp->name_tpl);
if (tpl->dp.name && !(dp->name_tpl = strdup(tpl->dp.name)))
{
DLOG_ERR("out of memory\n");
exit_clean(1);
}
dp->n_tpl = tpl->dp.n;
}
break;
case IDX_FILTER_L3:
if (!wf_make_l3(optarg, &dp->filter_ipv4, &dp->filter_ipv6))
@@ -2399,7 +2468,20 @@ int main(int argc, char **argv)
desync_profile_count--;
}
else
{
check_dp(dp);
if (bTemplate)
{
if (dp->name && dp_list_search_name(&params.desync_templates, dp->name))
{
DLOG_ERR("template '%s' already present\n", dp->name);
exit_clean(1);
}
dpl->dp.n = ++desync_template_count;
dp_list_move(&params.desync_templates, dpl);
desync_profile_count--;
}
}
// do not need args from file anymore
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
@@ -2423,13 +2505,14 @@ int main(int argc, char **argv)
DLOG("adding low-priority default empty desync profile\n");
// add default empty profile
if (!(dpl = dp_list_add(&params.desync_profiles)))
if (!(dpl = dp_list_add(&params.desync_profiles)) || !(dpl->dp.name=strdup("no_action")))
{
DLOG_ERR("desync_profile_add: out of memory\n");
exit_clean(1);
}
DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
DLOG_CONDUP("we have %u user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
DLOG_CONDUP("we have %u user defined desync template(s)\n", desync_template_count);
if (params.writeable_dir_enable)
{
@@ -2463,11 +2546,16 @@ int main(int argc, char **argv)
if (params.droproot)
#endif
{
if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename))
if (dp->hostlist_auto && !ensure_file_access(dp->hostlist_auto->filename))
DLOG_ERR("could not make '%s' accessible. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
}
LuaDesyncDebug(dp);
LuaDesyncDebug(dp,"profile");
}
LIST_FOREACH(dpl, &params.desync_templates, next)
{
dp = &dpl->dp;
LuaDesyncDebug(dp,"template");
}
if (!test_list_files())
@@ -2493,6 +2581,9 @@ int main(int argc, char **argv)
BlobDebug();
DLOG("\n");
// not required anymore. free memory
dp_list_destroy(&params.desync_templates);
#ifdef __CYGWIN__
if (!*params.windivert_filter)
{

3
nfq2/nfqws.h
View File

@@ -10,3 +10,6 @@
extern bool bQuit;
#endif
int main(int argc, char *argv[]);
// when something changes that can break LUA compatibility this version should be increased
#define LUA_COMPAT_VER 3

11
nfq2/packet_queue.c
View File

@@ -26,7 +26,7 @@ void rawpacket_queue_destroy(struct rawpacket_tailhead *q)
while((rp = rawpacket_dequeue(q))) rawpacket_free(rp);
}
struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload)
struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos)
{
struct rawpacket *rp = malloc(sizeof(struct rawpacket));
if (!rp) return NULL;
@@ -52,6 +52,15 @@ struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sock
memcpy(rp->packet,data,len);
rp->len=len;
rp->len_payload=len_payload;
// make a copy for replay
if (tpos)
{
rp->tpos = *tpos;
rp->tpos_present = true;
}
else
rp->tpos_present = false;
TAILQ_INSERT_TAIL(q, rp, next);

6
nfq2/packet_queue.h
View File

@@ -6,6 +6,8 @@
#include <net/if.h>
#include <sys/socket.h>
#include "conntrack_base.h"
struct rawpacket
{
struct sockaddr_storage dst;
@@ -14,6 +16,8 @@ struct rawpacket
uint32_t fwmark;
size_t len, len_payload;
uint8_t *packet;
t_ctrack_positions tpos;
bool tpos_present;
TAILQ_ENTRY(rawpacket) next;
};
TAILQ_HEAD(rawpacket_tailhead, rawpacket);
@@ -22,6 +26,6 @@ void rawpacket_queue_init(struct rawpacket_tailhead *q);
void rawpacket_queue_destroy(struct rawpacket_tailhead *q);
bool rawpacket_queue_empty(const struct rawpacket_tailhead *q);
unsigned int rawpacket_queue_count(const struct rawpacket_tailhead *q);
struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload);
struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos);
struct rawpacket *rawpacket_dequeue(struct rawpacket_tailhead *q);
void rawpacket_free(struct rawpacket *rp);

135
nfq2/params.c
View File

@@ -322,7 +322,7 @@ void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
}
}
void dp_init(struct desync_profile *dp)
void dp_init_dynamic(struct desync_profile *dp)
{
LIST_INIT(&dp->hl_collection);
LIST_INIT(&dp->hl_collection_exclude);
@@ -331,33 +331,29 @@ void dp_init(struct desync_profile *dp)
LIST_INIT(&dp->pf_tcp);
LIST_INIT(&dp->pf_udp);
LIST_INIT(&dp->lua_desync);
#ifdef HAS_FILTER_SSID
LIST_INIT(&dp->filter_ssid);
#endif
}
void dp_init(struct desync_profile *dp)
{
dp_init_dynamic(dp);
dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
dp->hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
dp->hostlist_auto_retrans_maxseq = HOSTLIST_AUTO_RETRANS_MAXSEQ;
dp->hostlist_auto_incoming_maxseq = HOSTLIST_AUTO_INCOMING_MAXSEQ;
dp->hostlist_auto_udp_out = HOSTLIST_AUTO_UDP_OUT;
dp->hostlist_auto_udp_in = HOSTLIST_AUTO_UDP_IN;
dp->filter_ipv4 = dp->filter_ipv6 = true;
}
struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
{
struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
if (!entry) return NULL;
dp_init(&entry->dp);
// add to the tail
struct desync_profile_list *dpn,*dpl=LIST_FIRST(&params.desync_profiles);
if (dpl)
{
while ((dpn=LIST_NEXT(dpl,next))) dpl = dpn;
LIST_INSERT_AFTER(dpl, entry, next);
}
else
LIST_INSERT_HEAD(&params.desync_profiles, entry, next);
return entry;
}
static void dp_clear_dynamic(struct desync_profile *dp)
{
free(dp->name);
free(dp->name_tpl);
free(dp->cookie);
hostlist_collection_destroy(&dp->hl_collection);
hostlist_collection_destroy(&dp->hl_collection_exclude);
ipset_collection_destroy(&dp->ips_collection);
@@ -389,6 +385,67 @@ void dp_list_destroy(struct desync_profile_list_head *head)
dp_entry_destroy(entry);
}
}
static struct desync_profile_list *desync_profile_entry_alloc()
{
struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
if (entry) dp_init(&entry->dp);
return entry;
}
struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
{
struct desync_profile_list *entry = desync_profile_entry_alloc();
if (!entry) return false;
struct desync_profile_list *tail, *item;
LIST_TAIL(head, tail, item);
LIST_INSERT_TAIL(head, tail, entry, next);
return entry;
}
bool dp_list_copy(struct desync_profile *to, const struct desync_profile *from)
{
// clear everything in target
dp_clear(to);
// first copy all simple type values
*to = *from;
// prepare empty dynamic structures
dp_init_dynamic(to);
// copy dynamic structures
if (from->name && !(to->name = strdup(from->name))) return false;
if (from->name_tpl && !(to->name_tpl = strdup(from->name_tpl))) return false;
if (from->cookie && !(to->cookie = strdup(from->cookie))) return false;
if (
#ifdef HAS_FILTER_SSID
!strlist_copy(&to->filter_ssid, &from->filter_ssid) ||
#endif
!funclist_copy(&to->lua_desync, &from->lua_desync) ||
!ipset_collection_copy(&to->ips_collection, &from->ips_collection) ||
!ipset_collection_copy(&to->ips_collection_exclude, &from->ips_collection_exclude) ||
!hostlist_collection_copy(&to->hl_collection, &from->hl_collection) ||
!hostlist_collection_copy(&to->hl_collection_exclude, &from->hl_collection_exclude))
{
return false;
}
return true;
}
void dp_list_move(struct desync_profile_list_head *target, struct desync_profile_list *dpl)
{
struct desync_profile_list *tail, *item;
LIST_TAIL(target, tail, item);
LIST_REMOVE(dpl, next);
LIST_INSERT_TAIL(target, tail, dpl, next);
}
struct desync_profile_list *dp_list_search_name(struct desync_profile_list_head *head, const char *name)
{
struct desync_profile_list *dpl;
if (name)
LIST_FOREACH(dpl, head, next)
if (dpl->dp.name && !strcmp(dpl->dp.name, name))
return dpl;
return NULL;
}
bool dp_list_have_autohostlist(struct desync_profile_list_head *head)
{
struct desync_profile_list *dpl;
@@ -427,6 +484,7 @@ void cleanup_params(struct params_s *params)
ConntrackPoolDestroy(&params->conntrack);
dp_list_destroy(&params->desync_profiles);
dp_list_destroy(&params->desync_templates);
hostlist_files_destroy(&params->hostlists);
ipset_files_destroy(&params->ipsets);
ipcacheDestroy(&params->ipcache);
@@ -440,3 +498,40 @@ void cleanup_params(struct params_s *params)
free(params->user); params->user=NULL;
#endif
}
void init_params(struct params_s *params)
{
memset(params, 0, sizeof(*params));
#ifdef __linux__
params->qnum = -1;
#elif defined(BSD)
params->port = 0;
#endif
params->desync_fwmark = DPI_DESYNC_FWMARK_DEFAULT;
params->ctrack_t_syn = CTRACK_T_SYN;
params->ctrack_t_est = CTRACK_T_EST;
params->ctrack_t_fin = CTRACK_T_FIN;
params->ctrack_t_udp = CTRACK_T_UDP;
params->ipcache_lifetime = IPCACHE_LIFETIME;
params->lua_gc = LUA_GC_INTERVAL;
LIST_INIT(&params->hostlists);
LIST_INIT(&params->ipsets);
LIST_INIT(&params->blobs);
LIST_INIT(&params->lua_init_scripts);
#ifdef __CYGWIN__
LIST_INIT(&params->ssid_filter);
LIST_INIT(&params->nlm_filter);
LIST_INIT(&params->wf_raw_part);
#else
if (can_drop_root())
{
params->uid = params->gid[0] = 0x7FFFFFFF; // default uid:gid
params->gid_count = 1;
params->droproot = true;
}
#endif
}

22
nfq2/params.h
View File

@@ -6,6 +6,7 @@
#include "desync.h"
#include "protocol.h"
#include "helpers.h"
#include "sec.h"
#include <sys/param.h>
#include <sys/types.h>
@@ -29,6 +30,10 @@
#define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT 3
#define HOSTLIST_AUTO_FAIL_TIME_DEFAULT 60
#define HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT 3
#define HOSTLIST_AUTO_RETRANS_MAXSEQ 65536
#define HOSTLIST_AUTO_INCOMING_MAXSEQ 4096
#define HOSTLIST_AUTO_UDP_OUT 4
#define HOSTLIST_AUTO_UDP_IN 1
#define IPCACHE_LIFETIME 7200
@@ -38,7 +43,7 @@
#define BLOB_EXTRA_BYTES 128
// this MSS is used for ipv6 in windows and linux
#define DEFAULT_MSS 1360
#define DEFAULT_MSS 1220
#define RECONSTRUCT_MAX_SIZE 16384
@@ -53,6 +58,10 @@ enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG, LOG_
struct desync_profile
{
unsigned int n; // number of the profile
char *name; // optional malloced name string
unsigned int n_tpl; // number of imported template
char *name_tpl; // imported template name
char *cookie; // optional malloced string
bool filter_ipv4,filter_ipv6;
struct port_filters_head pf_tcp,pf_udp;
@@ -73,11 +82,14 @@ struct desync_profile
// pointer to autohostlist. NULL if no autohostlist for the profile.
struct hostlist_file *hostlist_auto;
int hostlist_auto_fail_threshold, hostlist_auto_fail_time, hostlist_auto_retrans_threshold;
int hostlist_auto_udp_in, hostlist_auto_udp_out;
uint32_t hostlist_auto_retrans_maxseq, hostlist_auto_incoming_maxseq;
hostfail_pool *hostlist_auto_fail_counters;
struct func_list_head lua_desync;
};
#define PROFILE_NAME(dp) ((dp)->name ? (dp)->name : "noname")
#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude))
#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))
@@ -89,6 +101,9 @@ struct desync_profile_list {
};
LIST_HEAD(desync_profile_list_head, desync_profile_list);
struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
void dp_list_move(struct desync_profile_list_head *target, struct desync_profile_list *dpl);
bool dp_list_copy(struct desync_profile *to, const struct desync_profile *from);
struct desync_profile_list *dp_list_search_name(struct desync_profile_list_head *head, const char *name);
void dp_entry_destroy(struct desync_profile_list *entry);
void dp_list_destroy(struct desync_profile_list_head *head);
bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
@@ -104,6 +119,7 @@ struct params_s
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
wordexp_t wexp; // for file based config
#endif
char verstr[128];
enum log_target debug_target;
char debug_logfile[PATH_MAX];
@@ -119,7 +135,7 @@ struct params_s
bool bind_fix4,bind_fix6;
uint32_t desync_fwmark; // unused in BSD
struct desync_profile_list_head desync_profiles;
struct desync_profile_list_head desync_profiles, desync_templates;
#ifdef __CYGWIN__
struct str_list_head ssid_filter,nlm_filter;
@@ -170,6 +186,8 @@ struct params_s
extern struct params_s params;
extern const char *progname;
void init_params(struct params_s *params);
#if !defined( __OpenBSD__) && !defined(__ANDROID__)
void cleanup_args(struct params_s *params);
#endif

237
nfq2/pools.c
View File

@@ -155,20 +155,33 @@ bool strlist_add(struct str_list_head *head, const char *str)
LIST_INSERT_HEAD(head, entry, next);
return true;
}
static struct str_list *strlist_entry_copy(const struct str_list *entry)
{
return strlist_entry_alloc(entry->str);
}
bool strlist_copy(struct str_list_head *to, const struct str_list_head *from)
{
struct str_list *tail, *item, *entry;
LIST_TAIL(to, tail, item);
LIST_FOREACH(item, from, next)
{
if (!(entry = strlist_entry_copy(item))) return false;
LIST_INSERT_TAIL(to, tail, entry, next);
tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
}
return true;
}
bool strlist_add_tail(struct str_list_head *head, const char *str)
{
struct str_list *entry = strlist_entry_alloc(str);
if (!entry) return false;
// add to the tail
struct str_list *strn,*strl=LIST_FIRST(head);
if (strl)
{
while ((strn=LIST_NEXT(strl,next))) strl = strn;
LIST_INSERT_AFTER(strl, entry, next);
}
else
LIST_INSERT_HEAD(head, entry, next);
struct str_list *tail, *item;
LIST_TAIL(head, tail, item);
LIST_INSERT_TAIL(head, tail, entry, next);
return true;
}
static void strlist_entry_destroy(struct str_list *entry)
@@ -200,35 +213,77 @@ bool strlist_search(const struct str_list_head *head, const char *str)
}
static struct ptr_list *ptrlist_entry_alloc()
static void str2list_entry_destroy(struct str2_list *entry)
{
return (struct ptr_list*)calloc(1,sizeof(struct ptr_list));
free(entry->str1);
free(entry->str2);
free(entry);
}
void str2list_destroy(struct str2_list_head *head)
{
struct str2_list *entry;
while ((entry = LIST_FIRST(head)))
{
LIST_REMOVE(entry, next);
str2list_entry_destroy(entry);
}
}
static struct str2_list *str2list_entry_alloc()
{
return (struct str2_list*)calloc(1,sizeof(struct str2_list));
}
struct ptr_list *ptrlist_add(struct ptr_list_head *head)
struct str2_list *str2list_add(struct str2_list_head *head)
{
struct ptr_list *entry = ptrlist_entry_alloc();
struct str2_list *entry = str2list_entry_alloc();
if (!entry) return NULL;
LIST_INSERT_HEAD(head, entry, next);
return entry;
}
static void ptrlist_entry_destroy(struct ptr_list *entry)
static struct str2_list *str2list_entry_copy(const struct str2_list *entry)
{
free(entry->ptr1);
free(entry->ptr2);
struct str2_list *e2 = str2list_entry_alloc();
if (!e2) return NULL;
e2->str1 = strdup(entry->str1);
e2->str2 = strdup(entry->str2);
if (!e2->str1 || !e2->str2)
{
str2list_entry_destroy(e2);
return false;
}
return e2;
}
bool str2list_copy(struct str2_list_head *to, const struct str2_list_head *from)
{
struct str2_list *tail, *item, *entry;
LIST_TAIL(to, tail, item);
LIST_FOREACH(item, from, next)
{
if (!(entry = str2list_entry_copy(item))) return false;
LIST_INSERT_TAIL(to, tail, entry, next);
tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
}
return true;
}
static void funclist_entry_destroy(struct func_list *entry)
{
free(entry->func);
str2list_destroy(&entry->args);
free(entry);
}
void ptrlist_destroy(struct ptr_list_head *head)
void funclist_destroy(struct func_list_head *head)
{
struct ptr_list *entry;
struct func_list *entry;
while ((entry = LIST_FIRST(head)))
{
LIST_REMOVE(entry, next);
ptrlist_entry_destroy(entry);
funclist_entry_destroy(entry);
}
}
static struct func_list *funclist_entry_alloc(const char *func)
{
struct func_list *entry = malloc(sizeof(struct func_list));
@@ -250,31 +305,38 @@ struct func_list *funclist_add_tail(struct func_list_head *head, const char *fun
struct func_list *entry = funclist_entry_alloc(func);
if (!entry) return NULL;
// add to the tail
struct func_list *funcn,*funcl=LIST_FIRST(head);
if (funcl)
{
while ((funcn=LIST_NEXT(funcl,next))) funcl = funcn;
LIST_INSERT_AFTER(funcl, entry, next);
}
else
LIST_INSERT_HEAD(head, entry, next);
struct func_list *tail, *item;
LIST_TAIL(head, tail, item);
LIST_INSERT_TAIL(head, tail, entry, next);
return entry;
}
static void funclist_entry_destroy(struct func_list *entry)
static struct func_list *funclist_entry_copy(const struct func_list *entry)
{
free(entry->func);
ptrlist_destroy(&entry->args);
free(entry);
}
void funclist_destroy(struct func_list_head *head)
{
struct func_list *entry;
while ((entry = LIST_FIRST(head)))
struct func_list *e2 = funclist_entry_alloc(entry->func);
if (!e2) return NULL;
e2->payload_type = entry->payload_type;
e2->range_in = entry->range_in;
e2->range_out = entry->range_out;
if (!str2list_copy(&e2->args, &entry->args))
{
LIST_REMOVE(entry, next);
funclist_entry_destroy(entry);
funclist_entry_destroy(e2);
return false;
}
return e2;
}
bool funclist_copy(struct func_list_head *to, const struct func_list_head *from)
{
struct func_list *tail, *item, *entry;
LIST_TAIL(to, tail, item);
LIST_FOREACH(item, from, next)
{
if (!(entry = funclist_entry_copy(item))) return false;
LIST_INSERT_TAIL(to, tail, entry, next);
tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
}
return true;
}
@@ -333,16 +395,36 @@ void hostlist_files_reset_modtime(struct hostlist_files_head *list)
FILE_MOD_RESET(&hfile->mod_sig);
}
struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
static struct hostlist_item *hostlist_collection_entry_alloc(struct hostlist_file *hfile)
{
struct hostlist_item *entry = malloc(sizeof(struct hostlist_item));
if (entry)
{
entry->hfile = hfile;
LIST_INSERT_HEAD(head, entry, next);
}
if (entry) entry->hfile = hfile;
return entry;
}
struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
{
struct hostlist_item *entry = hostlist_collection_entry_alloc(hfile);
if (entry) LIST_INSERT_HEAD(head, entry, next);
return entry;
}
static struct hostlist_item *hostlist_collection_entry_copy(const struct hostlist_item *entry)
{
return hostlist_collection_entry_alloc(entry->hfile);
}
bool hostlist_collection_copy(struct hostlist_collection_head *to, const struct hostlist_collection_head *from)
{
struct hostlist_item *tail, *item, *entry;
LIST_TAIL(to, tail, item);
LIST_FOREACH(item, from, next)
{
if (!(entry = hostlist_collection_entry_copy(item))) return false;
LIST_INSERT_TAIL(to, tail, entry, next);
tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
}
return true;
}
void hostlist_collection_destroy(struct hostlist_collection_head *head)
{
struct hostlist_item *entry;
@@ -579,16 +661,36 @@ void ipset_files_reset_modtime(struct ipset_files_head *list)
FILE_MOD_RESET(&hfile->mod_sig);
}
struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
static struct ipset_item *ipset_collection_entry_alloc(struct ipset_file *hfile)
{
struct ipset_item *entry = malloc(sizeof(struct ipset_item));
if (entry)
{
entry->hfile = hfile;
LIST_INSERT_HEAD(head, entry, next);
}
if (entry) entry->hfile = hfile;
return entry;
}
struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
{
struct ipset_item *entry = ipset_collection_entry_alloc(hfile);
if (entry) LIST_INSERT_HEAD(head, entry, next);
return entry;
}
static struct ipset_item *ipset_collection_entry_copy(const struct ipset_item *entry)
{
return ipset_collection_entry_alloc(entry->hfile);
}
bool ipset_collection_copy(struct ipset_collection_head *to, const struct ipset_collection_head *from)
{
struct ipset_item *tail, *item, *entry;
LIST_TAIL(to, tail, item);
LIST_FOREACH(item, from, next)
{
if (!(entry = ipset_collection_entry_copy(item))) return false;
LIST_INSERT_TAIL(to, tail, entry, next);
tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
}
return true;
}
void ipset_collection_destroy(struct ipset_collection_head *head)
{
struct ipset_item *entry;
@@ -645,7 +747,7 @@ bool port_filters_in_range(const struct port_filters_head *head, uint16_t port)
{
const struct port_filter_item *item;
if (!LIST_FIRST(head)) return true;
if (LIST_EMPTY(head)) return true;
LIST_FOREACH(item, head, next)
{
if (pf_in_range(port, &item->pf))
@@ -656,7 +758,7 @@ bool port_filters_in_range(const struct port_filters_head *head, uint16_t port)
bool port_filters_deny_if_empty(struct port_filters_head *head)
{
port_filter pf;
if (LIST_FIRST(head)) return true;
if (!LIST_EMPTY(head)) return true;
return pf_parse("0",&pf) && port_filter_add(head,&pf);
}
@@ -667,15 +769,9 @@ struct blob_item *blob_collection_add(struct blob_collection_head *head)
struct blob_item *entry = calloc(1,sizeof(struct blob_item));
if (entry)
{
// insert to the end
struct blob_item *itemc,*iteml=LIST_FIRST(head);
if (iteml)
{
while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
LIST_INSERT_AFTER(iteml, entry, next);
}
else
LIST_INSERT_HEAD(head, entry, next);
struct blob_item *tail, *item;
LIST_TAIL(head, tail, item);
LIST_INSERT_TAIL(head, tail, entry, next);
}
return entry;
}
@@ -693,14 +789,9 @@ struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, co
entry->size_buf = size+size_reserve;
// insert to the end
struct blob_item *itemc,*iteml=LIST_FIRST(head);
if (iteml)
{
while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
LIST_INSERT_AFTER(iteml, entry, next);
}
else
LIST_INSERT_HEAD(head, entry, next);
struct blob_item *tail, *item;
LIST_TAIL(head, tail, item);
LIST_INSERT_TAIL(head, tail, entry, next);
return entry;
}
@@ -725,7 +816,7 @@ void blob_collection_destroy(struct blob_collection_head *head)
}
bool blob_collection_empty(const struct blob_collection_head *head)
{
return !LIST_FIRST(head);
return LIST_EMPTY(head);
}
struct blob_item *blob_collection_search_name(struct blob_collection_head *head, const char *name)
{

30
nfq2/pools.h
View File

@@ -17,6 +17,17 @@
#define HOSTLIST_POOL_FLAG_STRICT_MATCH 1
#define LIST_TAIL(head, tail, temp) {\
tail=LIST_FIRST(head); \
if (tail) while ((temp=LIST_NEXT(tail,next))) tail = temp; }
#define LIST_INSERT_TAIL(head, tail, elm, field) { \
if (LIST_FIRST(head)) \
LIST_INSERT_AFTER(tail, elm, field); \
else \
LIST_INSERT_HEAD(head, elm, field); }
typedef struct hostlist_pool {
char *str; /* key */
uint32_t flags; /* custom data */
@@ -38,25 +49,28 @@ bool strlist_add(struct str_list_head *head, const char *str);
bool strlist_add_tail(struct str_list_head *head, const char *str);
void strlist_destroy(struct str_list_head *head);
bool strlist_search(const struct str_list_head *head, const char *str);
bool strlist_copy(struct str_list_head *to, const struct str_list_head *from);
struct ptr_list {
void *ptr1,*ptr2;
LIST_ENTRY(ptr_list) next;
struct str2_list {
char *str1,*str2;
LIST_ENTRY(str2_list) next;
};
LIST_HEAD(ptr_list_head, ptr_list);
LIST_HEAD(str2_list_head, str2_list);
struct ptr_list *ptrlist_add(struct ptr_list_head *head);
void ptrlist_destroy(struct ptr_list_head *head);
struct str2_list *str2list_add(struct str2_list_head *head);
bool str2list_copy(struct str2_list_head *to, const struct str2_list_head *from);
void str2list_destroy(struct str2_list_head *head);
struct func_list {
char *func;
uint64_t payload_type;
struct packet_range range_in, range_out;
struct ptr_list_head args;
struct str2_list_head args;
LIST_ENTRY(func_list) next;
};
LIST_HEAD(func_list_head, func_list);
struct func_list *funclist_add_tail(struct func_list_head *head, const char *func);
bool funclist_copy(struct func_list_head *to, const struct func_list_head *from);
void funclist_destroy(struct func_list_head *head);
@@ -96,6 +110,7 @@ struct hostlist_item {
LIST_HEAD(hostlist_collection_head, hostlist_item);
struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile);
void hostlist_collection_destroy(struct hostlist_collection_head *head);
bool hostlist_collection_copy(struct hostlist_collection_head *to, const struct hostlist_collection_head *from);
struct hostlist_item *hostlist_collection_search(struct hostlist_collection_head *head, const char *filename);
bool hostlist_collection_is_empty(const struct hostlist_collection_head *head);
@@ -158,6 +173,7 @@ struct ipset_item {
};
LIST_HEAD(ipset_collection_head, ipset_item);
struct ipset_item * ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile);
bool ipset_collection_copy(struct ipset_collection_head *to, const struct ipset_collection_head *from);
void ipset_collection_destroy(struct ipset_collection_head *head);
struct ipset_item *ipset_collection_search(struct ipset_collection_head *head, const char *filename);
bool ipset_collection_is_empty(const struct ipset_collection_head *head);

43
nfq2/protocol.c
View File

@@ -48,7 +48,7 @@ bool l7_proto_match(t_l7proto l7proto, uint64_t filter_l7)
static const char *l7payload_name[] = {
"all","unknown","empty","known","http_req","http_reply","tls_client_hello","tls_server_hello","quic_initial",
"wireguard_initiation","wireguard_response","wireguard_cookie","wireguard_keepalive","wireguard_data",
"dht","discord_ip_discovery","stun_binding_req",
"dht","discord_ip_discovery","stun",
"xmpp_stream", "xmpp_starttls", "xmpp_proceed", "xmpp_features",
"dns_query", "dns_response",
"mtproto_initial"};
@@ -66,6 +66,35 @@ bool l7_payload_match(t_l7payload l7payload, uint64_t filter_l7p)
{
return filter_l7p==L7P_ALL || (filter_l7p & (1<<l7payload)) || (filter_l7p & (1<<L7P_KNOWN)) && l7payload>L7P_KNOWN && l7payload<L7P_LAST;
}
bool l7_payload_str_list(uint64_t l7p, char *buf, size_t size)
{
char *p;
const char *pstr;
size_t lstr;
t_l7payload pl;
if (!size) return false;
if (l7p==L7P_ALL)
{
if (size<4) return false;
memcpy(buf,"all",4);
return true;
}
for(pl=0, p=buf, *buf=0 ; pl<L7P_LAST ; pl++)
{
if (l7p & (1<<pl))
{
pstr = l7payload_str(pl);
lstr = strlen(pstr);
if (size < ((p!=buf) + lstr + 1)) return false;
if (p!=buf) *p++=','; // not first
memcpy(p,pstr,lstr);
p[lstr]=0;
p+=lstr;
}
}
return true;
}
static const char *posmarker_names[] = {"abs","host","endhost","sld","midsld","endsld","method","extlen","sniext"};
@@ -339,8 +368,10 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *
// extract 2nd level domains
const char *dhost, *drhost;
if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL) || !FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL))
if (!FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL))
return false;
if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL))
return true; // no SLD redirects to SLD
// compare 2nd level domains
return strcasecmp(dhost, drhost)!=0;
@@ -819,7 +850,7 @@ bool TLSMod(const struct fake_tls_mod *tls_mod, const uint8_t *payload, size_t p
{
if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
{
if (IsTLSClientHello(payload, payload_len, false))
if (IsTLSClientHelloPartial(payload, payload_len))
{
if (payload_len < 44)
{
@@ -1380,11 +1411,11 @@ bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
!memcmp(data+8,"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",64);
// address is not set in request
}
bool IsStunBindingRequest(const uint8_t *data, size_t len)
bool IsStunMessage(const uint8_t *data, size_t len)
{
return len>=20 && // header size
data[0]==0 && data[1]==1 &&
(data[3]&0b11)==0 && // length must be a multiple of 4
(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
(data[3]&3)==0 && // length must be a multiple of 4
ntohl(*(uint32_t*)(&data[4]))==0x2112A442 && // magic cookie
ntohs(*(uint16_t*)(&data[2]))==len-20;
}

7
nfq2/protocol.h
View File

@@ -42,7 +42,7 @@ typedef enum {
L7P_WIREGUARD_DATA,
L7P_DHT,
L7P_DISCORD_IP_DISCOVERY,
L7P_STUN_BINDING_REQ,
L7P_STUN,
L7P_XMPP_STREAM,
L7P_XMPP_STARTTLS,
L7P_XMPP_PROCEED,
@@ -55,6 +55,7 @@ typedef enum {
t_l7payload l7payload_from_name(const char *name);
const char *l7payload_str(t_l7payload l7);
bool l7_payload_match(t_l7payload l7payload, uint64_t filter_l7p);
bool l7_payload_str_list(uint64_t l7p, char *buf, size_t size);
typedef enum {
PM_ABS=0,
@@ -126,7 +127,7 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos
struct fake_tls_mod
{
char sni[128];
char sni[256];
uint32_t mod;
};
#define FAKE_TLS_MOD_RND 0x01
@@ -152,7 +153,7 @@ bool IsWireguardKeepalive(const uint8_t *data, size_t len);
bool IsWireguardData(const uint8_t *data, size_t len);
bool IsDht(const uint8_t *data, size_t len);
bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len);
bool IsStunBindingRequest(const uint8_t *data, size_t len);
bool IsStunMessage(const uint8_t *data, size_t len);
bool IsMTProto(const uint8_t *data, size_t len);
#define QUIC_MAX_CID_LENGTH 20