nfqws: windows fixes for recent changes (50539d6c) · Commits · git-mirror / Zapret

nfq/darkmagic.c

+6 −6

Original line number	Diff line number	Diff line
		@@ -1900,15 +1900,15 @@ void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transpo
		{
		if (!(verdict & VERDICT_NOCSUM))
		{
		#ifdef __CYGWIN__
		// always fix csum for windivert. original can be partial or bad
		#ifndef __CYGWIN__
		#ifdef __FreeBSD__
		if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
		#elif defined(__FreeBSD__)
		// FreeBSD tend to pass ipv6 frames with wrong checksum
		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY \|\| ip6hdr)
		#else
		// if original packet was tampered earlier it needs checksum fixed
		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
		#endif
		#endif
		tcp_fix_checksum(tcphdr,transport_len,ip,ip6hdr);
		}
		@@ -1917,15 +1917,15 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo
		{
		if (!(verdict & VERDICT_NOCSUM))
		{
		#ifdef __CYGWIN__
		// always fix csum for windivert. original can be partial or bad
		#ifndef __CYGWIN__
		#ifdef __FreeBSD__
		if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
		#elif defined(__FreeBSD__)
		// FreeBSD tend to pass ipv6 frames with wrong checksum
		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY \|\| ip6hdr)
		#else
		// if original packet was tampered earlier it needs checksum fixed
		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
		#endif
		#endif
		udp_fix_checksum(udphdr,transport_len,ip,ip6hdr);
		}

nfq/desync.c

+8 −11

Original line number	Diff line number	Diff line
		@@ -879,7 +879,7 @@ static bool orig_send_rewrite(
		}

		// return : true - orig was sent completely, false - should send orig another way
		static bool tcp_orig_send(uint32_t fwmark, const char ifout, const struct desync_profile dp, const t_ctrack ctrack, struct dissect dis, bool bForceSend)
		static bool tcp_orig_send(uint8_t verdict, uint32_t fwmark, const char ifout, const struct desync_profile dp, const t_ctrack ctrack, struct dissect dis, bool bForceSend)
		{
		if (dp->dup_repeats \|\| bForceSend)
		{
		@@ -894,6 +894,8 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn

		extract_endpoints(dis->ip, dis->ip6, dis->tcp, NULL, &src, &dst);

		verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6);

		if (dp->dup_repeats && check_dup_interval(dp,ctrack))
		{
		ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim;
		@@ -920,7 +922,6 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
		DLOG_ERR("dup: packet reconstruct failed\n");
		return false;
		}

		DLOG("sending %u dups with packet reconstruct\n", dp->dup_repeats);

		// send dups
		@@ -956,7 +957,7 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
		return false;
		}
		// return : true - orig was sent completely, false - should send orig another way
		static bool udp_orig_send(uint32_t fwmark, const char ifout, const struct desync_profile dp, const t_ctrack ctrack, struct dissect dis, bool bForceSend)
		static bool udp_orig_send(uint8_t verdict, uint32_t fwmark, const char ifout, const struct desync_profile dp, const t_ctrack ctrack, struct dissect dis, bool bForceSend)
		{
		if (dp->dup_repeats \|\| bForceSend)
		{
		@@ -969,6 +970,8 @@ static bool udp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn

		extract_endpoints(dis->ip, dis->ip6, NULL, dis->udp, &src, &dst);

		verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);

		if (dp->dup_repeats && check_dup_interval(dp,ctrack))
		{
		ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim;
		@@ -2168,9 +2171,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
		default:
		break;
		}

		if (bFake)
		verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6);
		}

		send_orig:
		@@ -2178,7 +2178,7 @@ send_orig:
		if ((verdict & VERDICT_MASK)==VERDICT_DROP)
		verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp);
		else
		if (tcp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
		if (tcp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
		verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp);
		return verdict;
		}
		@@ -2770,16 +2770,13 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
		default:
		break;
		}

		if (bFake)
		verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
		}

		send_orig:
		if ((verdict & VERDICT_MASK)==VERDICT_DROP)
		verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
		else
		if (udp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
		if (udp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
		verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
		return verdict;
		}

nfq/nfqws.c

+47 −47

Original line number	Diff line number	Diff line
		@@ -1343,8 +1343,7 @@ static bool wf_make_filter(
		char pf_dst_buf[512],iface[64];
		const char *pf_dst;
		const char f_tcpin = pf_tcp_src ? dp_list_have_autohostlist(&params.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : "";
		const char f_tcp_not_empty = pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : "";

		const char f_tcp_not_empty = (pf_tcp_src && !dp_list_need_all_out(&params.desync_profiles)) ? DIVERT_TCP_NOT_EMPTY " and " : "";
		snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx);

		if (!pf_tcp_src && !pf_udp_src) return false;
		@@ -1453,14 +1452,14 @@ static void exithelp(void)
		" --orig-mod-start=[n\|d\|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
		" --orig-mod-cutoff=[n\|d\|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
		" --dup=<int>\t\t\t\t\t; duplicate original packets. send N dups before original.\n"
		" --dup-ttl=<int>\t\t\t\t; set TTL for dups\n"
		" --dup-replace=[0\|1]\t\t\t\t; 1 or no argument means do not send original, only dups\n"
		" --dup-ttl=<int>\t\t\t\t; set TTL for dups\n"
		" --dup-ttl6=<int>\t\t\t\t; set ipv6 hop limit for dups. by default ttl value is used\n"
		" --dup-fooling=<mode>[,<mode>]\t\t\t; can use multiple comma separated values. modes : none md5sig badseq badsum datanoack hopbyhop hopbyhop2\n"
		" --dup-badseq-increment=<int\|0xHEX>\t\t; badseq fooling seq signed increment for dup. default %d\n"
		" --dup-badack-increment=<int\|0xHEX>\t\t; badseq fooling ackseq signed increment for dup. default %d\n"
		" --dup-start=[n\|d\|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
		" --dup-cutoff=[n\|d\|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
		" --dup-badseq-increment=<int\|0xHEX>\t\t; badseq fooling seq signed increment for dup. default %d\n"
		" --dup-desync-badack-increment=<int\|0xHEX>\t; badseq fooling ackseq signed increment for dup. default %d\n"
		" --hostcase\t\t\t\t\t; change Host: => host:\n"
		" --hostspell\t\t\t\t\t; exact spelling of \"Host\" header. must be 4 chars. default is \"host\"\n"
		" --hostnospace\t\t\t\t\t; remove space after Host: and add it to User-Agent: to preserve packet size\n"
		@@ -2757,48 +2756,6 @@ int main(int argc, char **argv)
		DLOG_ERR("Need divert port (--port)\n");
		exit_clean(1);
		}
		#elif defined(__CYGWIN__)
		if (!*windivert_filter)
		{
		if (!wf_pf_tcp_src && !wf_pf_udp_src)
		{
		DLOG_ERR("windivert filter : must specify port filter\n");
		exit_clean(1);
		}
		if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst))
		{
		DLOG_ERR("windivert filter : could not make filter\n");
		exit_clean(1);
		}
		}
		DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter);
		if (*wf_save_file)
		{
		if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter)))
		{
		DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file);
		exit_clean(0);
		}
		else
		{
		DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file);
		exit_clean(1);
		}
		}
		HANDLE hMutexArg;
		{
		char mutex_name[128];
		snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6);

		hMutexArg = CreateMutexA(NULL,TRUE,mutex_name);
		if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS)
		{
		CloseHandle(hMutexArg); hMutexArg = NULL;
		DLOG_ERR("A copy of winws is already running with the same filter\n");
		goto exiterr;
		}

		}
		#endif

		DLOG("adding low-priority default empty desync profile\n");
		@@ -2865,6 +2822,49 @@ int main(int argc, char **argv)
		SplitDebug();
		DLOG("\n");

		#ifdef __CYGWIN__
		if (!*windivert_filter)
		{
		if (!wf_pf_tcp_src && !wf_pf_udp_src)
		{
		DLOG_ERR("windivert filter : must specify port filter\n");
		exit_clean(1);
		}
		if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst))
		{
		DLOG_ERR("windivert filter : could not make filter\n");
		exit_clean(1);
		}
		}
		DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter);
		if (*wf_save_file)
		{
		if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter)))
		{
		DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file);
		exit_clean(0);
		}
		else
		{
		DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file);
		exit_clean(1);
		}
		}
		HANDLE hMutexArg;
		{
		char mutex_name[128];
		snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6);

		hMutexArg = CreateMutexA(NULL,TRUE,mutex_name);
		if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS)
		{
		CloseHandle(hMutexArg); hMutexArg = NULL;
		DLOG_ERR("A copy of winws is already running with the same filter\n");
		goto exiterr;
		}
		}
		#endif

		if (bDry)
		{
		DLOG_CONDUP("command line parameters verified\n");

nfq/params.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -294,3 +294,12 @@ bool dp_list_have_autohostlist(struct desync_profile_list_head *head)
		return true;
		return false;
		}
		// check if we need empty outgoing ACK
		bool dp_list_need_all_out(struct desync_profile_list_head *head)
		{
		struct desync_profile_list *dpl;
		LIST_FOREACH(dpl, head, next)
		if (dpl->dp.dup_repeats \|\| PROFILE_HAS_ORIG_MOD(&dpl->dp))
		return true;
		return false;
		}

nfq/params.h

+5 −4

Original line number	Diff line number	Diff line
		@@ -126,10 +126,10 @@ struct desync_profile
		hostfail_pool *hostlist_auto_fail_counters;
		};

		#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&dp->ips_collection) && !LIST_FIRST(&dp->ips_collection_exclude))
		#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&dp->ips_collection) && ipset_collection_is_empty(&dp->ips_collection_exclude))
		#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&dp->hl_collection) && hostlist_collection_is_empty(&dp->hl_collection_exclude))
		#define PROFILE_HAS_ORIG_MOD(dp) (dp->orig_mod_ttl \|\| dp->orig_mod_ttl6)
		#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude))
		#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))
		#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&(dp)->hl_collection) && hostlist_collection_is_empty(&(dp)->hl_collection_exclude))
		#define PROFILE_HAS_ORIG_MOD(dp) ((dp)->orig_mod_ttl \|\| (dp)->orig_mod_ttl6)

		struct desync_profile_list {
		struct desync_profile dp;
		@@ -140,6 +140,7 @@ struct desync_profile_list dp_list_add(struct desync_profile_list_head head);
		void dp_entry_destroy(struct desync_profile_list *entry);
		void dp_list_destroy(struct desync_profile_list_head *head);
		bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
		bool dp_list_need_all_out(struct desync_profile_list_head *head);
		void dp_init(struct desync_profile *dp);
		bool dp_fake_defaults(struct desync_profile *dp);
		void dp_clear(struct desync_profile *dp);