Loading docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -489,6 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake nfqws: --dup* nfqws: --orig* nfqws: ipcache of hop count and host names nfqws: --ctrack-disable tpws: ipcache of host names nfqws,tpws: set 1024 repeat limit to fakes and dups init.d: remove --ipset parameter prohibition Loading nfq/desync.c +16 −9 Original line number Diff line number Diff line Loading @@ -562,7 +562,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct // so we need to workaround this. // we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket // we also can't use fooling because DPI would accept fooled packets if (ctrack && ctrack->pcounter_orig==1) // SYN and SYN,ACK checks are for conntrack-less mode if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) { DLOG("applying linux postnat conntrack workaround\n"); if (proto==IPPROTO_UDP && udp && len_pkt) Loading Loading @@ -1161,12 +1162,15 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack if (!params.ctrack_disable) { ConntrackPoolPurge(¶ms.conntrack); if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse)) { dp = ctrack->dp; ctrack_replay = ctrack; } } if (dp) DLOG("using cached desync profile %d\n",dp->n); else if (!ctrack || !ctrack->dp_search_complete) Loading Loading @@ -2370,12 +2374,15 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack if (!params.ctrack_disable) { ConntrackPoolPurge(¶ms.conntrack); if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse)) { dp = ctrack->dp; ctrack_replay = ctrack; } } if (dp) DLOG("using cached desync profile %d\n",dp->n); else if (!ctrack || !ctrack->dp_search_complete) Loading nfq/nfqws.c +9 −2 Original line number Diff line number Diff line Loading @@ -1417,6 +1417,7 @@ static void exithelp(void) " --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n" #endif " --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n" " --ctrack-disable=[0|1]\t\t\t\t; 1 or no argument disables conntrack\n" " --ipcache-lifetime=<int>\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n" " --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n" #ifdef __CYGWIN__ Loading Loading @@ -1620,6 +1621,7 @@ enum opt_indices { IDX_WSSIZE, IDX_WSSIZE_CUTOFF, IDX_CTRACK_TIMEOUTS, IDX_CTRACK_DISABLE, IDX_IPCACHE_LIFETIME, IDX_IPCACHE_HOSTNAME, IDX_HOSTCASE, Loading Loading @@ -1739,6 +1741,7 @@ static const struct option long_options[] = { [IDX_WSSIZE] = {"wssize", required_argument, 0, 0}, [IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0}, [IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0}, [IDX_CTRACK_DISABLE] = {"ctrack-disable", optional_argument, 0, 0}, [IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0}, [IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0}, [IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0}, Loading Loading @@ -2048,6 +2051,9 @@ int main(int argc, char **argv) exit_clean(1); } break; case IDX_CTRACK_DISABLE: params.ctrack_disable = !optarg || atoi(optarg); break; case IDX_IPCACHE_LIFETIME: if (sscanf(optarg, "%u", ¶ms.ipcache_lifetime)!=1) { Loading @@ -2056,7 +2062,7 @@ int main(int argc, char **argv) } break; case IDX_IPCACHE_HOSTNAME: params.cache_hostname = !optarg || !!atoi(optarg); params.cache_hostname = !optarg || atoi(optarg); break; case IDX_HOSTCASE: dp->hostcase = true; Loading Loading @@ -2180,7 +2186,7 @@ int main(int argc, char **argv) params.autottl_present=true; break; case IDX_DUP_REPLACE: dp->dup_replace = optarg ? !!atoi(optarg) : true; dp->dup_replace = !optarg || atoi(optarg); break; case IDX_DUP_FOOLING: if (!parse_fooling(optarg,&dp->dup_fooling_mode)) Loading Loading @@ -2841,6 +2847,7 @@ int main(int argc, char **argv) } DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count); if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); #ifndef __CYGWIN__ if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1)) Loading nfq/params.h +2 −1 Original line number Diff line number Diff line Loading @@ -197,9 +197,10 @@ struct params_s unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp; t_conntrack conntrack; bool ctrack_disable; unsigned int ipcache_lifetime; bool autottl_present,cache_hostname; unsigned int ipcache_lifetime; ip_cache ipcache; }; Loading Loading
docs/changes.txt +1 −0 Original line number Diff line number Diff line Loading @@ -489,6 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake nfqws: --dup* nfqws: --orig* nfqws: ipcache of hop count and host names nfqws: --ctrack-disable tpws: ipcache of host names nfqws,tpws: set 1024 repeat limit to fakes and dups init.d: remove --ipset parameter prohibition Loading
nfq/desync.c +16 −9 Original line number Diff line number Diff line Loading @@ -562,7 +562,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct // so we need to workaround this. // we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket // we also can't use fooling because DPI would accept fooled packets if (ctrack && ctrack->pcounter_orig==1) // SYN and SYN,ACK checks are for conntrack-less mode if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) { DLOG("applying linux postnat conntrack workaround\n"); if (proto==IPPROTO_UDP && udp && len_pkt) Loading Loading @@ -1161,12 +1162,15 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack if (!params.ctrack_disable) { ConntrackPoolPurge(¶ms.conntrack); if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse)) { dp = ctrack->dp; ctrack_replay = ctrack; } } if (dp) DLOG("using cached desync profile %d\n",dp->n); else if (!ctrack || !ctrack->dp_search_complete) Loading Loading @@ -2370,12 +2374,15 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack if (!params.ctrack_disable) { ConntrackPoolPurge(¶ms.conntrack); if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse)) { dp = ctrack->dp; ctrack_replay = ctrack; } } if (dp) DLOG("using cached desync profile %d\n",dp->n); else if (!ctrack || !ctrack->dp_search_complete) Loading
nfq/nfqws.c +9 −2 Original line number Diff line number Diff line Loading @@ -1417,6 +1417,7 @@ static void exithelp(void) " --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n" #endif " --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n" " --ctrack-disable=[0|1]\t\t\t\t; 1 or no argument disables conntrack\n" " --ipcache-lifetime=<int>\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n" " --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n" #ifdef __CYGWIN__ Loading Loading @@ -1620,6 +1621,7 @@ enum opt_indices { IDX_WSSIZE, IDX_WSSIZE_CUTOFF, IDX_CTRACK_TIMEOUTS, IDX_CTRACK_DISABLE, IDX_IPCACHE_LIFETIME, IDX_IPCACHE_HOSTNAME, IDX_HOSTCASE, Loading Loading @@ -1739,6 +1741,7 @@ static const struct option long_options[] = { [IDX_WSSIZE] = {"wssize", required_argument, 0, 0}, [IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0}, [IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0}, [IDX_CTRACK_DISABLE] = {"ctrack-disable", optional_argument, 0, 0}, [IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0}, [IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0}, [IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0}, Loading Loading @@ -2048,6 +2051,9 @@ int main(int argc, char **argv) exit_clean(1); } break; case IDX_CTRACK_DISABLE: params.ctrack_disable = !optarg || atoi(optarg); break; case IDX_IPCACHE_LIFETIME: if (sscanf(optarg, "%u", ¶ms.ipcache_lifetime)!=1) { Loading @@ -2056,7 +2062,7 @@ int main(int argc, char **argv) } break; case IDX_IPCACHE_HOSTNAME: params.cache_hostname = !optarg || !!atoi(optarg); params.cache_hostname = !optarg || atoi(optarg); break; case IDX_HOSTCASE: dp->hostcase = true; Loading Loading @@ -2180,7 +2186,7 @@ int main(int argc, char **argv) params.autottl_present=true; break; case IDX_DUP_REPLACE: dp->dup_replace = optarg ? !!atoi(optarg) : true; dp->dup_replace = !optarg || atoi(optarg); break; case IDX_DUP_FOOLING: if (!parse_fooling(optarg,&dp->dup_fooling_mode)) Loading Loading @@ -2841,6 +2847,7 @@ int main(int argc, char **argv) } DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count); if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); #ifndef __CYGWIN__ if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1)) Loading
nfq/params.h +2 −1 Original line number Diff line number Diff line Loading @@ -197,9 +197,10 @@ struct params_s unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp; t_conntrack conntrack; bool ctrack_disable; unsigned int ipcache_lifetime; bool autottl_present,cache_hostname; unsigned int ipcache_lifetime; ip_cache ipcache; }; Loading
