Loading nfq/desync.c +12 −3 Original line number Diff line number Diff line Loading @@ -564,9 +564,18 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) { DLOG("applying linux postnat conntrack workaround\n"); // make ip protocol invalid if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255; if (ip) ip->ip_p = 255; // this also makes ipv4 header checksum invalid // make ip protocol invalid and low TTL if (ip6) { ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255; ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = 1; } if (ip) { // this likely also makes ipv4 header checksum invalid ip->ip_p = 255; ip->ip_ttl = 1; } return VERDICT_MODIFY | VERDICT_NOCSUM; } #endif Loading nfq/nfqws.c +1 −3 Original line number Diff line number Diff line Loading @@ -296,6 +296,7 @@ static int nfq_main(void) return 1; } sec_harden(); if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) goto err; print_id(); Loading @@ -307,9 +308,6 @@ static int nfq_main(void) if (params.daemon) daemonize(); // do it only after daemonize because daemonize needs fork sec_harden(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) Loading Loading
nfq/desync.c +12 −3 Original line number Diff line number Diff line Loading @@ -564,9 +564,18 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) { DLOG("applying linux postnat conntrack workaround\n"); // make ip protocol invalid if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255; if (ip) ip->ip_p = 255; // this also makes ipv4 header checksum invalid // make ip protocol invalid and low TTL if (ip6) { ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255; ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = 1; } if (ip) { // this likely also makes ipv4 header checksum invalid ip->ip_p = 255; ip->ip_ttl = 1; } return VERDICT_MODIFY | VERDICT_NOCSUM; } #endif Loading
nfq/nfqws.c +1 −3 Original line number Diff line number Diff line Loading @@ -296,6 +296,7 @@ static int nfq_main(void) return 1; } sec_harden(); if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) goto err; print_id(); Loading @@ -307,9 +308,6 @@ static int nfq_main(void) if (params.daemon) daemonize(); // do it only after daemonize because daemonize needs fork sec_harden(); if (Fpid) { if (fprintf(Fpid, "%d", getpid())<=0) Loading
