winws2: harden sandbox

docs/changes.txt

@@ -93,9 +93,24 @@ v0.7
 
 v0.7.1
 
-* init.d: fix non-working incoming redirect
+* init.d: nft fix non-working incoming redirect
 * nfqws2: cancel reasm if server window size is smaller than expected reasm size
 * nfqws2: add EOL at the end of truncated buffered DLOG line if it's too large. increase log line buffer
 * nfqws2: autohostlist reset fail counter if udp_in > threshold
 * nfqws2: reduced default retrans maxseq to 32768
 * nfqws2: solved inability to get SSID using nl80211 on kernels 5.19+
+
+v0.7.2
+
+* zapret-lib: fix broken is_retransmission()
+* zapret-auto: add success detector logic
+* nfqws2: clean lua cutoff on profile change
+* zapret-auto: separate hostkey function
+
+v0.7.4
+
+* nfqws2, zapret-lib : check tcp sequence range overflow
+* zapret-lib : seq compare functions
+* nfqws2: add l3_len, l4_len to dissect
+* nfqws2: fix broken l7proto profile rediscovery
+* winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change

lua/zapret-auto.lua

@@ -1,20 +1,48 @@
 -- standard automation/orchestration code
 -- this is related to making dynamic strategy decisions without rewriting or altering strategy function code
 -- orchestrators can decide which instances to call or not to call or pass them dynamic arguments
--- failure detectors test potential block conditions for orchestrators
+-- failure and success detectors test potential block conditions for orchestrators
+
+-- standard host key generator for per-host storage
 -- arg: reqhost - require hostname, do not work with ip
--- arg: key - a string - table name inside autostate table. to allow multiple orchestrator instances to use single host storage
-function automate_host_record(desync)
-	local hostkey, askey
-	if desync.arg.reqhost then
-		hostkey = desync.track and desync.track.hostname
-	else
-		hostkey = host_or_ip(desync)
+-- arg: nld=N - cut hostname to N level domain. NLD=2 static.intranet.microsoft.com => microsoft.com
+function standard_hostkey(desync)
+	local hostkey = desync.track and desync.track.hostname
+	if hostkey then
+		if desync.arg.nld and tonumber(desync.arg.nld)>0 and not (desync.track and desync.track.hostname_is_ip) then
+			-- dissect_nld returns nil if domain is invalid or does not have this NLD
+			-- fall back to original hostkey if it fails
+			local hktemp = dissect_nld(hostkey, tonumber(desync.arg.nld))
+			if hktemp then
+				hostkey = hktemp
+			end
+		end
+	elseif not desync.arg.reqhost then
+		hostkey = host_ip(desync)
 	end
+	return hostkey
+end
+
+-- per-host storage
+-- arg: key - a string - table name inside autostate table. to allow multiple orchestrator instances to use single host storage
+-- arg: hostkey - hostkey generator function name
+function automate_host_record(desync)
+	local hostkey, hkf, askey
+
+	if desync.arg.hostkey then
+		if type(_G[desync.arg.hostkey])~="function" then
+			error("automate: invalid hostkey function '"..desync.arg.hostkey.."'")
+		end
+		hkf = _G[desync.arg.hostkey]
+	else
+		hkf = standard_hostkey
+	end
+	hostkey = hkf(desync)
 	if not hostkey then
 		DLOG("automate: host record key unavailable")
 		return nil
 	end
+
 	askey = (desync.arg.key and #desync.arg.key>0) and desync.arg.key or desync.func_instance
 	DLOG("automate: host record key 'autostate."..askey.."."..hostkey.."'")
 	if not autostate then
@@ -28,6 +56,7 @@ function automate_host_record(desync)
 	end
 	return autostate[askey][hostkey]
 end
+-- per-connection storage
 function automate_conn_record(desync)
 	if not desync.track.lua_state.automate then
 		desync.track.lua_state.automate = {}
@@ -65,6 +94,13 @@ function automate_failure_counter(hrec, crec, fails, maxtime)
 	end
 	return false
 end
+-- resets failure counter if it has started counting
+function automate_failure_counter_reset(hrec)
+	if hrec.failure_counter then
+		DLOG("automate: failure counter reset")
+		hrec.failure_counter = nil
+	end
+end
 
 -- location is url compatible with Location: header
 -- hostname is original hostname
@@ -78,6 +114,18 @@ function is_dpi_redirect(hostname, location)
 	return false
 end
 
+function standard_detector_defaults(arg)
+	return {
+		inseq = tonumber(arg.inseq) or 4096,
+		retrans = tonumber(arg.retrans) or 3,
+		maxseq = tonumber(arg.maxseq) or 32768,
+		udp_in = tonumber(arg.udp_in) or 1,
+		udp_out = tonumber(arg.udp_out) or 4,
+		no_http_redirect = arg.no_http_redirect,
+		no_rst = arg.no_rst
+	}
+end
+
 -- standard failure detector
 -- works with tcp and udp
 -- detected failures:
@@ -85,46 +133,34 @@ end
 --   incoming http redirection
 --   outgoing retransmissions
 --   udp too much out with too few in
--- arg: seq=<rseq> - tcp: if packet is beyond this relative sequence number treat this connection as successful. default is 64K
+-- arg: maxseq=<rseq> - tcp: test retransmissions only within this relative sequence. default is 32K
 -- arg: retrans=N - tcp: retrans count threshold. default is 3
--- arg: rst=<rseq> - tcp: maximum relative sequence number to treat incoming RST as DPI reset. default is 1
+-- arg: inseq=<rseq> - tcp: maximum relative sequence number to treat incoming RST as DPI reset. default is 4K
 -- arg: no_http_redirect - tcp: disable http_reply dpi redirect trigger
+-- arg: no_rst - tcp: disable incoming RST trigger
 -- arg: udp_out - udp: >= outgoing udp packets. default is 4
 -- arg: udp_in - udp: with <= incoming udp packets. default is 1
-function standard_failure_detector(desync, crec, arg)
-	if crec.nocheck then return false end
-
-	local seq_rst = tonumber(arg.rst) or 1
-	local retrans = tonumber(arg.retrans) or 3
-	local maxseq = tonumber(arg.seq) or 0x10000
-	local udp_in = tonumber(arg.udp_in) or 1
-	local udp_out = tonumber(arg.udp_out) or 4
-
+function standard_failure_detector(desync, crec)
+	local arg = standard_detector_defaults(desync.arg)
 	local trigger = false
 	if desync.dis.tcp then
 		local seq = pos_get(desync,'s')
-		if maxseq and seq>maxseq then
-			DLOG("standard_failure_detector: s"..seq.." is beyond s"..maxseq..". treating connection as successful")
-			crec.nocheck = true
-			return false
-		end
-
 		if desync.outgoing then
-			if #desync.dis.payload>0 and retrans and (crec.retrans or 0)<retrans then
+			if #desync.dis.payload>0 and arg.retrans and arg.maxseq>0 and seq<=arg.maxseq and (crec.retrans or 0)<arg.retrans then
 				if is_retransmission(desync) then
 					crec.retrans = crec.retrans and (crec.retrans+1) or 1
-					DLOG("standard_failure_detector: retransmission "..crec.retrans.."/"..retrans)
-					trigger = crec.retrans>=retrans
+					DLOG("standard_failure_detector: retransmission "..crec.retrans.."/"..arg.retrans)
+					trigger = crec.retrans>=arg.retrans
 				end
 			end
 		else
-			if seq_rst and bitand(desync.dis.tcp.th_flags, TH_RST)~=0 then
-				trigger = seq<=seq_rst
+			if not arg.no_rst and arg.inseq>0 and bitand(desync.dis.tcp.th_flags, TH_RST)~=0 and seq>=1 then
+				trigger = seq<=arg.inseq
 				if b_debug then
 					if trigger then
-						DLOG("standard_failure_detector: incoming RST s"..seq.." in range s"..seq_rst)
+						DLOG("standard_failure_detector: incoming RST s"..seq.." in range s"..arg.inseq)
 					else
-						DLOG("standard_failure_detector: not counting incoming RST s"..seq.." beyond s"..seq_rst)
+						DLOG("standard_failure_detector: not counting incoming RST s"..seq.." beyond s"..arg.inseq)
 					end
 				end
 			elseif not arg.no_http_redirect and desync.l7payload=="http_reply" and desync.track.hostname then
@@ -143,13 +179,13 @@ function standard_failure_detector(desync, crec, arg)
 		end
 	elseif desync.dis.udp then
 		if desync.outgoing then
-			if udp_out then
-				local udp_in = udp_in or 0
-				trigger = desync.track.pos.direct.pcounter>=udp_out and desync.track.pos.reverse.pcounter<=udp_in
+			if arg.udp_out>0 then
+				local pos_out = pos_get(desync,'n',false)
+				local pos_in = pos_get(desync,'n',true)
+				trigger = pos_out>=arg.udp_out and pos_in<=arg.udp_in
 				if trigger then
-					crec.nocheck = true
 					if b_debug then
-						DLOG("standard_failure_detector: udp_out "..desync.track.pos.direct.pcounter..">="..udp_out.." udp_in "..desync.track.pos.reverse.pcounter.."<="..udp_in)
+						DLOG("standard_failure_detector: arg.udp_out "..pos_out..">="..arg.udp_out.." arg.udp_in "..pos_in.."<="..arg.udp_in)
 					end
 				end
 			end
@@ -158,17 +194,102 @@ function standard_failure_detector(desync, crec, arg)
 	return trigger
 end
 
+-- standard success detector
+-- success means previous failures were temporary and counter should be reset
+-- detected successes:
+--   tcp: outgoing seq is beyond 'maxseq' and maxseq>0
+--   tcp: incoming seq is beyond 'inseq' and inseq>0
+--   udp: incoming packets count > `udp_in` and `udp_out`>0
+-- arg: maxseq=<rseq> - tcp: success if outgoing relative sequence is beyond this value. default is 32K
+-- arg: inseq=<rseq> - tcp: success if incoming relative sequence is beyond this value. default is 4K
+-- arg: udp_out - udp : must be nil or >0 to test udp_in
+-- arg: udp_in - udp: if number if incoming packets > udp_in it means success
+function standard_success_detector(desync, crec)
+	local arg = standard_detector_defaults(desync.arg)
+	if desync.dis.tcp then
+		local seq = pos_get(desync,'s')
+		if desync.outgoing then
+			if arg.maxseq>0 and seq>arg.maxseq then
+				DLOG("standard_success_detector: outgoing s"..seq.." is beyond s"..arg.maxseq..". treating connection as successful")
+				return true
+			end
+		else
+			if arg.inseq>0 and seq>arg.inseq then
+				DLOG("standard_success_detector: incoming s"..seq.." is beyond s"..arg.inseq..". treating connection as successful")
+				return true
+			end
+		end
+	elseif desync.dis.udp then
+		if not desync.outgoing then
+			local pos = pos_get(desync,'n')
+			if arg.udp_out>0 and pos>arg.udp_in then
+				if b_debug then
+					DLOG("standard_success_detector: arg.udp_in "..pos..">"..arg.udp_in)
+				end
+				return true
+			end
+		end
+	end
+
+	return false
+end
+
+-- calls success and failure detectors
+-- resets counter if success is detected
+-- increases counter if failure is detected
+-- returns true if failure counter exceeds threshold
+function automate_failure_check(desync, hrec, crec)
+	if crec.nocheck then return false end
+
+	local failure_detector, success_detector
+	if desync.arg.failure_detector then
+		if type(_G[desync.arg.failure_detector])~="function" then
+			error("automate: invalid failure detector function '"..desync.arg.failure_detector.."'")
+		end
+		failure_detector = _G[desync.arg.failure_detector]
+	else
+		failure_detector = standard_failure_detector
+	end
+	if desync.arg.success_detector then
+		if type(_G[desync.arg.success_detector])~="function" then
+			error("automate: invalid success detector function '"..desync.arg.success_detector.."'")
+		end
+		success_detector = _G[desync.arg.success_detector]
+	else
+		success_detector = standard_success_detector
+	end
+
+	if success_detector(desync, crec) then
+		crec.nocheck = true
+		DLOG("automate: success detected")
+		automate_failure_counter_reset(hrec)
+		return false
+	end
+	if failure_detector(desync, crec) then
+		crec.nocheck = true
+		DLOG("automate: failure detected")
+		local fails = tonumber(desync.arg.fails) or 3
+		local maxtime = tonumber(desync.arg.time) or 60
+		return automate_failure_counter(hrec, crec, fails, maxtime)
+	end
+
+	return false
+end
+
+
 -- circularily change strategy numbers when failure count reaches threshold ('fails')
--- works with tcp only
 -- this orchestrator requires redirection of incoming traffic to cache RST and http replies !
 -- each orchestrated instance must have strategy=N arg, where N starts from 1 and increment without gaps
 -- if 'final' arg is present in an orchestrated instance it stops rotation
 -- arg: fails=N - failture count threshold. default is 3
 -- arg: time=<sec> - if last failure happened earlier than `maxtime` seconds ago - reset failure counter. default is 60.
--- arg: reqhost - pass with no tampering if hostname is unavailable
--- arg: detector - failure detector function name.
+-- arg: success_detector - success detector function name
+-- arg: failure_detector - failure detector function name
+-- arg: hostkey - hostkey generator function name
 -- args for failure detector - see standard_failure_detector or your own detector
--- test case: nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s1 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+-- args for success detector - see standard_success_detector or your own detector
+-- args for hostkey generator - see standard_hostkey or your own generator
+-- test case: nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-auto.lua --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
 function circular(ctx, desync)
 	local function count_strategies(hrec)
 		if not hrec.ctstrategy then
@@ -223,26 +344,11 @@ function circular(ctx, desync)
 	local verdict = VERDICT_PASS
 	if hrec.final~=hrec.nstrategy then
 		local crec = automate_conn_record(desync)
-		local fails = tonumber(desync.arg.fails) or 3
-		local maxtime = tonumber(desync.arg.time) or 60
-		local failure_detector
-		if desync.arg.detector then
-			if type(_G[desync.arg.detector])~="function" then
-				error("circular: invalid failure detector function '"..desync.arg.detector.."'")
-			end
-			failure_detector = _G[desync.arg.detector]
-		else
-			failure_detector = standard_failure_detector
-		end
-		if failure_detector(desync,crec,desync.arg) then
-			-- failure happened. count failures.
-			if automate_failure_counter(hrec, crec, fails, maxtime) then
-				-- counter reaches threshold. circular strategy change
-				hrec.nstrategy = (hrec.nstrategy % hrec.ctstrategy) + 1
-				DLOG("circular: rotate strategy to "..hrec.nstrategy)
-				if hrec.nstrategy == hrec.final then
-					DLOG("circular: final strategy "..hrec.final.." reached. will rotate no more.")
-				end
+		if automate_failure_check(desync, hrec, crec) then
+			hrec.nstrategy = (hrec.nstrategy % hrec.ctstrategy) + 1
+			DLOG("circular: rotate strategy to "..hrec.nstrategy)
+			if hrec.nstrategy == hrec.final then
+				DLOG("circular: final strategy "..hrec.final.." reached. will rotate no more.")
 			end
 		end
 	end

lua/zapret-lib.lua

@@ -234,6 +234,12 @@ function desync_orchestrator_example(ctx, desync)
 	return replay_execution_plan(desync)
 end
 
+-- if seq is over 2G s and p position comparision can be wrong
+function pos_counter_overflow(desync, mode, reverse)
+	if not desync.track or not desync.track.tcp or (mode~='s' and mode~='p') then return false end
+	local track_pos = reverse and desync.track.pos.reverse or desync.track.pos.direct
+	return track_pos.tcp.rseq_over_2G
+end
 -- these functions duplicate range check logic from C code
 -- mode must be n,d,b,s,x,a
 -- pos is {mode,pos}
@@ -265,7 +271,7 @@ function pos_get(desync, mode, reverse)
 	return 0
 end
 function pos_check_from(desync, range)
-	if range.from.mode == 'x' then return false end
+	if range.from.mode == 'x' or pos_counter_overflow(desync, range.from.mode) then return false end
 	if range.from.mode ~= 'a' then
 		if desync.track then
 			return pos_get(desync, range.from.mode) >= range.from.pos
@@ -277,7 +283,7 @@ function pos_check_from(desync, range)
 end
 function pos_check_to(desync, range)
 	local ps
-	if range.to.mode == 'x' then return false end
+	if range.to.mode == 'x' or pos_counter_overflow(desync, range.to.mode) then return false end
 	if range.to.mode ~= 'a' then
 		if desync.track then
 			ps = pos_get(desync, range.to.mode)
@@ -297,8 +303,31 @@ end
 function pos_str(desync, pos)
 	return pos.mode..pos_get(desync, pos.mode)
 end
+
+-- sequence comparision functions. they work only within 2G interval
+-- seq1>=seq2
+function seq_ge(seq1, seq2)
+	return 0==bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1>seq2
+function seq_gt(seq1, seq2)
+	return seq1~=seq2 and seq_ge(seq1, seq2)
+end
+-- seq1<seq2
+function seq_lt(seq1, seq2)
+	return 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1<=seq2
+function seq_le(seq1, seq2)
+	return seq1==seq2 or 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq_low<=seq<=seq_hi
+function seq_within(seq, seq_low, seq_hi)
+	return seq_ge(seq, seq_low) and seq_le(seq, seq_hi)
+end
+
 function is_retransmission(desync)
-	return desync.track and desync.track.tcp and 0==bitand(u32add(desync.track.tcp.uppos_orig_prev, -desync.track.tcp.pos_orig), 0x80000000)
+	return desync.track and desync.track.pos.direct.tcp and seq_ge(desync.track.pos.direct.tcp.uppos_prev, desync.track.pos.direct.tcp.pos)
 end
 
 -- prepare standard rawsend options from desync
@@ -801,6 +830,7 @@ end
 -- ip6_hopbyhop[=hex] - add hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_hopbyhop2[=hex] - add second hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_destopt[=hex] - add destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
+-- ip6_destopt2[=hex] - add second destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_routing[=hex] - add routing ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_ah[=hex] - add authentication ipv6 header with optional data. data size must be 6+N*4. 0000 + 4 random bytes by default.
 
@@ -1236,12 +1266,16 @@ function genhost(len, template)
 	end
 end
 
--- return hostname if present or ip address in text form otherwise
+-- return ip addr of target host in text form
+function host_ip(desync)
+	return desync.target.ip and ntop(desync.target.ip) or desync.target.ip6 and ntop(desync.target.ip6)
+end
+-- return hostname of target host if present or ip address in text form otherwise
 function host_or_ip(desync)
 	if desync.track and desync.track.hostname then
 		return desync.track.hostname
 	end
-	return desync.target.ip and ntop(desync.target.ip) or desync.target.ip6 and ntop(desync.target.ip6)
+	return host_ip(desync)
 end
 
 function is_absolute_path(path)

nfq2/conntrack.c

@@ -155,6 +155,11 @@ static void ConntrackApplyPos(const struct tcphdr *tcp, t_ctrack *t, bool bRever
 	if (direct->scale != SCALE_NONE) direct->winsize_calc <<= direct->scale;
 	if (mss && !direct->mss) direct->mss = mss;
 	if (scale != SCALE_NONE) direct->scale = scale;
+
+	if (!direct->rseq_over_2G && ((direct->seq_last - direct->seq0) & 0x80000000))
+		direct->rseq_over_2G = true;
+	if (!reverse->rseq_over_2G && ((reverse->seq_last - reverse->seq0) & 0x80000000))
+		reverse->rseq_over_2G = true;
 }
 
 // non-tcp packets are passed with tcphdr=NULL but len_payload filled
@@ -208,19 +213,7 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
 
 		ConntrackApplyPos(tcphdr, t, bReverse, len_payload);
 	}
-	else
-	{
-		if (bReverse)
-		{
-			t->pos.server.seq_last = t->pos.server.pos;
-			t->pos.server.pos += len_payload;
-		}
-		else
-		{
-			t->pos.client.seq_last = t->pos.client.pos;
-			t->pos.client.pos += len_payload;
-		}
-	}
+
 	clock_gettime(CLOCK_REALTIME, &t->pos.t_last);
 	// make sure t_start gets exactly the same value as first t_last
 	if (!t->t_start.tv_sec) t->t_start = t->pos.t_last;

nfq2/conntrack_base.h

@@ -17,17 +17,18 @@ typedef struct
 	uint64_t pcounter;	// packet counter
 	uint64_t pdcounter;	// data packet counter (with payload)
 	uint64_t pbcounter;	// transferred byte counter. includes retransmissions. it's not the same as relative seq.
+
+	// tcp only state, not used in udp
 	uint32_t pos;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
 	uint32_t uppos;		// max seen position. useful to detect retransmissions
 	uint32_t uppos_prev; 	// previous max seen position. useful to detect retransmissions
 	uint32_t seq_last;	// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
-
-	// tcp only state, not used in udp
 	uint32_t seq0;		// starting seq and ack
 	uint16_t winsize;	// last seen window size
 	uint16_t mss;
 	uint32_t winsize_calc;	// calculated window size
 	uint8_t scale;		// last seen window scale factor. SCALE_NONE if none
+	bool rseq_over_2G;
 } t_ctrack_position;
 
 typedef struct

nfq2/darkmagic.c

@@ -718,6 +718,29 @@ bool prepare_low_appdata()
 	return b;
 }
 
+BOOL JobSandbox()
+{
+	BOOL bRes = FALSE;
+	HANDLE hJob;
+	JOBOBJECT_BASIC_LIMIT_INFORMATION basic_limit;
+	JOBOBJECT_BASIC_UI_RESTRICTIONS basic_ui;
+
+	if (hJob = CreateJobObjectW(NULL, NULL))
+	{
+		basic_limit.LimitFlags = JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
+		// prevent child process creation
+		basic_limit.ActiveProcessLimit = 1;
+		// prevent some UI interaction and settings change
+		basic_ui.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS | JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_GLOBALATOMS | JOB_OBJECT_UILIMIT_HANDLES | JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
+		bRes = SetInformationJobObject(hJob, JobObjectBasicLimitInformation, &basic_limit, sizeof(basic_limit)) &&
+			SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &basic_ui, sizeof(basic_ui)) &&
+			AssignProcessToJobObject(hJob, GetCurrentProcess());
+		w_win32_error = GetLastError();
+		CloseHandle(hJob);
+	}
+	return bRes;
+}
+
 
 #define WINDIVERT_DEVICE_NAME "WinDivert"
 static bool b_isandbox_set = false;
@@ -734,6 +757,8 @@ bool win_sandbox(void)
 			return FALSE;
 		if (!LowMandatoryLevel())
 			return false;
+		if (!JobSandbox())
+			return false;
 		// for LUA code to find where to store files
 		b_isandbox_set = true;
 	}

nfq2/desync.c

@@ -505,7 +505,10 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, const struct dissect *
 	return VERDICT_DROP;
 }
 
-
+static bool pos_overflow(const t_ctrack_position *pos, char mode)
+{
+	return (mode=='s' || mode=='p') && pos && pos->rseq_over_2G;
+}
 static uint64_t pos_get(const t_ctrack_position *pos, char mode)
 {
 	if (pos)
@@ -524,7 +527,7 @@ static uint64_t pos_get(const t_ctrack_position *pos, char mode)
 static bool check_pos_from(const t_ctrack_position *pos, const struct packet_range *range)
 {
 	uint64_t ps;
-	if (range->from.mode == 'x') return false;
+	if ((range->from.mode == 'x') || pos_overflow(pos,range->from.mode)) return false;
 	if (range->from.mode != 'a')
 	{
 		if (pos)
@@ -540,7 +543,7 @@ static bool check_pos_from(const t_ctrack_position *pos, const struct packet_ran
 static bool check_pos_to(const t_ctrack_position *pos, const struct packet_range *range)
 {
 	uint64_t ps;
-	if (range->to.mode == 'x') return false;
+	if (range->to.mode == 'x' || pos_overflow(pos,range->to.mode)) return false;
 	if (range->to.mode != 'a')
 	{
 		if (pos)
@@ -707,7 +710,7 @@ static uint8_t desync(
 	struct func_list *func;
 	int ref_arg = LUA_NOREF, status;
 	bool b, b_cutoff_all, b_unwanted_payload;
-	t_lua_desync_context ctx = { .dp = dp, .ctrack = ctrack, .dis = dis, .cancel = false, .incoming = bIncoming };
+	t_lua_desync_context ctx = { .magic = 0, .dp = dp, .ctrack = ctrack, .dis = dis, .cancel = false, .incoming = bIncoming };
 	const char *sDirection = bIncoming ? "in" : "out";
 	struct packet_range *range;
 	size_t l;
@@ -754,10 +757,12 @@ static uint8_t desync(
 					DLOG("* lua '%s' : voluntary cutoff\n", instance);
 				else if (check_pos_cutoff(pos, range))
 				{
-					DLOG("* lua '%s' : %s pos %c%llu %c%llu is beyond range %c%u%c%c%u (ctrack %s)\n",
+					DLOG("* lua '%s' : %s pos %c%llu %c%llu overflow %u %u is beyond range %c%u%c%c%u (ctrack %s)\n",
 						instance, sDirection,
 						range->from.mode, pos_get(pos, range->from.mode),
 						range->to.mode, pos_get(pos, range->to.mode),
+						pos_overflow(pos, range->from.mode),
+						pos_overflow(pos, range->to.mode),
 						range->from.mode, range->from.pos,
 						range->upper_cutoff ? '<' : '-',
 						range->to.mode, range->to.pos,
@@ -855,8 +860,14 @@ static uint8_t desync(
 							lua_pushf_str("func", func->func);
 							lua_pushf_int("func_n", ctx.func_n);
 							lua_pushf_str("func_instance", instance);
-							int initial_stack_top = lua_gettop(params.L);
+
+							// lua should not store and access ctx outside of this call
+							// if this happens make our best to prevent access to bad memory
+							// this is not crash-proof but better than nothing
+							ctx.magic = MAGIC_CTX; // mark struct as valid
 							status = lua_pcall(params.L, 2, LUA_MULTRET, 0);
+							ctx.magic = 0; // mark struct as invalid
+
 							if (status)
 							{
 								lua_dlog_error();
@@ -975,6 +986,23 @@ static void setup_direction(
 	}
 }
 
+static void dp_changed(t_ctrack *ctrack)
+{
+	if (ctrack)
+	{
+		if (ctrack->b_lua_in_cutoff)
+		{
+			DLOG("clearing lua in cutoff because of profile change\n");
+			ctrack->b_lua_in_cutoff = false;
+		}
+		if (ctrack->b_lua_out_cutoff)
+		{
+			DLOG("clearing lua out cutoff because of profile change\n");
+			ctrack->b_lua_out_cutoff = false;
+		}
+	}
+}
+
 static uint8_t dpi_desync_tcp_packet_play(
 	unsigned int replay_piece, unsigned int replay_piece_count, size_t reasm_offset,
 	uint32_t fwmark,
@@ -1293,8 +1321,8 @@ static uint8_t dpi_desync_tcp_packet_play(
 		bool bDiscoveredL7;
 		if (ctrack_replay)
 		{
-			bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN;
-			ctrack_replay->l7proto_discovered = true;
+			if (bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN)
+				ctrack_replay->l7proto_discovered = true;
 		}
 		else
 			bDiscoveredL7 = l7proto != L7_UNKNOWN;
@@ -1342,6 +1370,7 @@ static uint8_t dpi_desync_tcp_packet_play(
 			if (!dp) goto pass_reasm_cancel;
 			if (dp != dp_prev)
 			{
+				dp_changed(ctrack_replay);
 				DLOG("desync profile changed by revealed l7 protocol or hostname !\n");
 			}
 		}
@@ -1737,8 +1766,8 @@ static uint8_t dpi_desync_udp_packet_play(
 			bool bDiscoveredL7;
 			if (ctrack_replay)
 			{
-				bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN;
-				ctrack_replay->l7proto_discovered = true;
+				if ((bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN))
+					ctrack_replay->l7proto_discovered = true;
 			}
 			else
 				bDiscoveredL7 = l7proto != L7_UNKNOWN;
@@ -1786,6 +1815,7 @@ static uint8_t dpi_desync_udp_packet_play(
 					goto pass_reasm_cancel;
 				if (dp != dp_prev)
 				{
+					dp_changed(ctrack_replay);
 					DLOG("desync profile changed by revealed l7 protocol or hostname !\n");
 				}
 			}

nfq2/desync.h

@@ -13,8 +13,10 @@
 
 #ifdef __linux__
 #define DPI_DESYNC_FWMARK_DEFAULT 0x40000000
-#else
+#elif defined(SO_USER_COOKIE)
 #define DPI_DESYNC_FWMARK_DEFAULT 512
+#else
+#define DPI_DESYNC_FWMARK_DEFAULT 0
 #endif
 
 uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifin, const char *ifout, const uint8_t *data_pkt, size_t len_pkt, uint8_t *mod_pkt, size_t *len_mod_pkt);

nfq2/lua.c

@@ -690,6 +690,22 @@ static int luacall_clock_gettime(lua_State *L)
 	}
 	LUA_STACK_GUARD_RETURN(L,2)
 }
+
+static t_lua_desync_context *lua_desync_ctx()
+{
+	if (lua_isnil(params.L,1))
+		luaL_error(params.L, "missing ctx");
+	if (!lua_islightuserdata(params.L,1))
+		luaL_error(params.L, "bad ctx - invalid data type");
+
+	t_lua_desync_context *ctx = lua_touserdata(params.L,1);
+	// ensure it's really ctx. LUA could pass us any lightuserdata pointer
+	if (ctx->magic!=MAGIC_CTX)
+		luaL_error(params.L, "bad ctx - magic bytes invalid");
+
+	return ctx;
+}
+
 static int luacall_instance_cutoff(lua_State *L)
 {
 	// out : instance_name.profile_number[0]
@@ -699,16 +715,12 @@ static int luacall_instance_cutoff(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
 	if (lua_isnil(L,1))
 		// this can happen in orchestrated function. they do not have their own ctx and they cant cutoff
 		DLOG("instance cutoff not possible because missing ctx\n");
 	else
 	{
-		if (!lua_islightuserdata(L,1))
-			luaL_error(L, "instance_cutoff expect desync context in the first argument");
-		ctx = lua_touserdata(L,1);
+		const t_lua_desync_context *ctx = lua_desync_ctx();
 
 		int argc=lua_gettop(L);
 		bool bIn,bOut;
@@ -720,7 +732,6 @@ static int luacall_instance_cutoff(lua_State *L)
 		}
 		else
 			bIn = bOut = true;
-
 		if (ctx->ctrack)
 		{
 			DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
@@ -785,11 +796,7 @@ static int luacall_lua_cutoff(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "lua_cutoff expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	int argc=lua_gettop(L);
 	bool bIn,bOut;
@@ -821,11 +828,7 @@ static int luacall_execution_plan(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "execution_plan expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	lua_newtable(L);
 
@@ -862,11 +865,7 @@ static int luacall_execution_plan_cancel(lua_State *L)
 {
 	lua_check_argc(L,"execution_plan_cancel",1);
 
-	t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "execution_plan_cancel expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	t_lua_desync_context *ctx = lua_desync_ctx();
 
 	DLOG("execution plan cancel from '%s'\n",ctx->instance);
 
@@ -881,11 +880,7 @@ static int luacall_raw_packet(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "raw_packet expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	const t_lua_desync_context *ctx = lua_desync_ctx();
 
 	lua_pushlstring(L, (const char*)ctx->dis->data_pkt, ctx->dis->len_pkt);
 
@@ -1251,13 +1246,15 @@ void lua_push_dissect(const struct dissect *dis)
 
 	if (dis)
 	{
-		lua_createtable(params.L, 0, 7);
+		lua_createtable(params.L, 0, 9);
 		lua_pushf_iphdr(dis->ip, dis->len_l3);
 		lua_pushf_ip6hdr(dis->ip6, dis->len_l3);
 		lua_pushf_tcphdr(dis->tcp, dis->len_l4);
 		lua_pushf_udphdr(dis->udp, dis->len_l4);
 		lua_pushf_int("l4proto",dis->proto);
 		lua_pushf_int("transport_len",dis->transport_len);
+		lua_pushf_int("l3_len",dis->len_l3);
+		lua_pushf_int("l4_len",dis->len_l4);
 		lua_pushf_raw("payload",dis->data_payload,dis->len_payload);
 	}
 	else
@@ -1282,10 +1279,11 @@ void lua_pushf_ctrack_pos(const t_ctrack *ctrack, const t_ctrack_position *pos)
 	if (ctrack->ipproto == IPPROTO_TCP)
 	{
 		lua_pushliteral(params.L, "tcp");
-		lua_createtable(params.L, 0, 10);
+		lua_createtable(params.L, 0, 11);
 		lua_pushf_lint("seq0", pos->seq0);
 		lua_pushf_lint("seq", pos->seq_last);
 		lua_pushf_lint("rseq", pos->seq_last - pos->seq0);
+		lua_pushf_bool("rseq_over_2G", pos->rseq_over_2G);
 		lua_pushf_int("pos", pos->pos - pos->seq0);
 		lua_pushf_int("uppos", pos->uppos - pos->seq0);
 		lua_pushf_int("uppos_prev", pos->uppos_prev - pos->seq0);
@@ -2135,7 +2133,7 @@ static int luacall_csum_ip4_fix(lua_State *L)
 }
 static int luacall_csum_tcp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_tcp_fix(ip_header, tcp_header, payload) returns tcp_header
 	lua_check_argc(L,"csum_tcp_fix",3);
 
 	LUA_STACK_GUARD_ENTER(L)
@@ -2176,7 +2174,7 @@ static int luacall_csum_tcp_fix(lua_State *L)
 }
 static int luacall_csum_udp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_udp_fix(ip_header, udp_header, payload) returns udp_header
 	lua_check_argc(L,"csum_udp_fix",3);
 
 	LUA_STACK_GUARD_ENTER(L)
@@ -3000,9 +2998,11 @@ static void lua_init_const(void)
 		{"IP_OFFMASK",IP_OFFMASK},
 		{"IP_FLAGMASK",IP_RF|IP_DF|IP_MF},
 		{"IPTOS_ECN_MASK",IPTOS_ECN_MASK},
+		{"IPTOS_ECN_NOT_ECT",0},
 		{"IPTOS_ECN_ECT1",IPTOS_ECN_ECT1},
 		{"IPTOS_ECN_ECT0",IPTOS_ECN_ECT0},
 		{"IPTOS_ECN_CE",IPTOS_ECN_CE},
+		{"IPTOS_DSCP_MASK",0xF0},
 		{"IP6F_MORE_FRAG",0x0001}, // in ip6.h it's defined depending of machine byte order
 
 		{"IPPROTO_IP",IPPROTO_IP},

nfq2/lua.h

@@ -101,7 +101,9 @@ bool lua_reconstruct_tcphdr(int idx, struct tcphdr *tcp, size_t *len);
 bool lua_reconstruct_udphdr(int idx, struct udphdr *udp);
 bool lua_reconstruct_dissect(int idx, uint8_t *buf, size_t *len, bool badsum, bool ip6_preserve_next);
 
+#define MAGIC_CTX	0xE73DC935
 typedef struct {
+	uint32_t magic;
 	unsigned int func_n;
 	const char *func, *instance;
 	const struct desync_profile *dp;

nfq2/nfqws.c

@@ -630,6 +630,7 @@ static int win_main()
 		{
 			res=w_win32_error; goto ex;
 		}
+
 		if (!win_sandbox())
 		{
 			res=w_win32_error;
@@ -637,7 +638,6 @@ static int win_main()
 			goto ex;
 		}
 
-
 		// init LUA only here because of possible sandbox. no LUA code with high privs
 		if (!params.L && !lua_init())
 		{