From 6d52b49b98fb7b8ddfe486bdd0280533ca5f6c29 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 10 May 2025 09:41:26 +0300 Subject: [PATCH] nfqws: do not reconstruct synack-split in syn mode --- nfq/desync.c | 60 +++++++++++++++++++++++++++------------------------- nfq/nfqws.c | 8 +------ nfq/sec.c | 8 +++++++ 3 files changed, 40 insertions(+), 36 deletions(-) diff --git a/nfq/desync.c b/nfq/desync.c index 78d45491..3e0c362e 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -1188,10 +1188,19 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint //ConntrackPoolDump(¶ms.conntrack); - if (dp->wsize && tcp_synack_segment(dis->tcp)) + if (tcp_synack_segment(dis->tcp)) { - tcp_rewrite_winsize(dis->tcp, dp->wsize, dp->wscale); - verdict=VERDICT_MODIFY; + if (dp->wsize) + { + tcp_rewrite_winsize(dis->tcp, dp->wsize, dp->wscale); + verdict=VERDICT_MODIFY; + } + if (dp->synack_split==SS_SYN) + { + DLOG("split SYNACK : clearing ACK bit\n"); + dis->tcp->th_flags &= ~TH_ACK; + verdict=VERDICT_MODIFY; + } } if (bReverse) @@ -1280,50 +1289,43 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint } } - if (dp->synack_split!=SS_NONE && tcp_synack_segment(dis->tcp)) + if ((dp->synack_split==SS_SYNACK || dp->synack_split==SS_ACKSYN) && tcp_synack_segment(dis->tcp)) { + // reconstruct required + dis->tcp->th_flags &= ~TH_ACK; tcp_fix_checksum(dis->tcp,dis->transport_len, dis->ip, dis->ip6); - char ss[2],i,ct; - if (dp->synack_split==SS_SYN) + char ss[2],i; + if (dp->synack_split==SS_SYNACK) { - ct=1; ss[0] = 'S'; + ss[1] = 'A'; } else { - ct=2; - if (dp->synack_split==SS_SYNACK) - { - ss[0] = 'S'; - ss[1] = 'A'; - } - else - { - ss[0] = 'A'; - ss[1] = 'S'; - } - pkt1_len = sizeof(pkt1); - if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_ACK, false, 0, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, SCALE_NONE, timestamps, - DF,ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6), - FOOL_NONE,0,0,NULL, 0, pkt1, &pkt1_len)) - { - DLOG_ERR("cannot prepare split SYNACK ACK part\n"); - goto send_orig; - } + ss[0] = 'A'; + ss[1] = 'S'; } - for (int i=0;itcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, SCALE_NONE, timestamps, + DF,ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6), + FOOL_NONE,0,0,NULL, 0, pkt1, &pkt1_len)) + { + DLOG_ERR("cannot prepare split SYNACK ACK part\n"); + goto send_orig; + } + for (int i=0;i<2;i++) { switch(ss[i]) { case 'S': - DLOG("sending split SYNACK : SYN\n"); + DLOG("split SYNACK : SYN\n"); if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , dis->data_pkt, dis->len_pkt)) goto send_orig; break; case 'A': - DLOG("sending split SYNACK : ACK\n"); + DLOG("split SYNACK : ACK\n"); if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len)) goto send_orig; break; diff --git a/nfq/nfqws.c b/nfq/nfqws.c index d0fd0d2c..5e6d9ad7 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -527,13 +527,7 @@ static int win_main(const char *windivert_filter) WINDIVERT_ADDRESS wa; char ifname[IFNAMSIZ]; - if (params.daemon) - { - // cygwin loses current dir - char *cwd = get_current_dir_name(); - daemonize(); - chdir(cwd); - } + if (params.daemon) daemonize(); if (*params.pidfile && !writepid(params.pidfile)) { diff --git a/nfq/sec.c b/nfq/sec.c index 6c7a54c8..6d1649ec 100644 --- a/nfq/sec.c +++ b/nfq/sec.c @@ -343,9 +343,13 @@ void print_id(void) #endif + void daemonize(void) { int pid; +#ifdef __CYGWIN__ + char *cwd = get_current_dir_name(); +#endif pid = fork(); if (pid == -1) @@ -356,6 +360,10 @@ void daemonize(void) else if (pid != 0) exit(0); +#ifdef __CYGWIN__ + chdir(get_current_dir_name()); +#endif + if (setsid() == -1) exit(2); if (chdir("/") == -1)