feat: Use AF_PACKET raw socket instead of AF_INET/AF_INET6

MikeWang000000 · MikeWang000000 · commit 2cf2573710f4 · 2025-06-09T16:32:59.000+08:00
diff --git a/include/globvar.h b/include/globvar.h
@@ -25,8 +25,7 @@
 
 struct fh_context {
     int exit;
-    int sock4fd;
-    int sock6fd;
+    int sockfd;
     FILE *logfp;
 
     /* -d */ int daemon;
diff --git a/include/rawsock.h b/include/rawsock.h
@@ -20,7 +20,7 @@
 #ifndef FH_RAWSOCK_H
 #define FH_RAWSOCK_H
 
-int fh_rawsock_setup(int af);
+int fh_rawsock_setup(void);
 
 void fh_rawsock_cleanup(void);
 
diff --git a/src/globvar.c b/src/globvar.c
@@ -24,8 +24,7 @@
 #include <stdio.h>
 
 struct fh_context g_ctx = {.exit = 0,
-                           .sock4fd = -1,
-                           .sock6fd = -1,
+                           .sockfd = -1,
                            .logfp = NULL,
 
                            /* -d */ .daemon = 0,
diff --git a/src/ipv4ipt.c b/src/ipv4ipt.c
@@ -35,11 +35,8 @@ int fh_ipt4_setup(void)
     char *ipt_cmds[][32] = {
         {"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-I", "INPUT", "-j", "FAKEHTTP",
-         NULL},
-
-        {"iptables", "-w", "-t", "mangle", "-I", "FORWARD", "-j", "FAKEHTTP",
-         NULL},
+        {"iptables", "-w", "-t", "mangle", "-I", "PREROUTING", "-j",
+         "FAKEHTTP", NULL},
 
         /*
             exclude marked packets
diff --git a/src/ipv4nft.c b/src/ipv4nft.c
@@ -35,14 +35,8 @@ int fh_nft4_setup(void)
     char nft_conf_buff[2048];
     char *nft_conf_fmt =
         "table ip fakehttp {\n"
-        "    chain fh_input {\n"
-        "        type filter hook input priority mangle - 5;\n"
-        "        policy accept;\n"
-        "        jump fh_rules;\n"
-        "    }\n"
-        "\n"
-        "    chain fh_forward {\n"
-        "        type filter hook forward priority mangle - 5;\n"
+        "    chain fh_prerouting {\n"
+        "        type filter hook prerouting priority mangle - 5;\n"
         "        policy accept;\n"
         "        jump fh_rules;\n"
         "    }\n"
diff --git a/src/ipv6ipt.c b/src/ipv6ipt.c
@@ -35,11 +35,8 @@ int fh_ipt6_setup(void)
     char *ipt_cmds[][32] = {
         {"ip6tables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
 
-        {"ip6tables", "-w", "-t", "mangle", "-I", "INPUT", "-j", "FAKEHTTP",
-         NULL},
-
-        {"ip6tables", "-w", "-t", "mangle", "-I", "FORWARD", "-j", "FAKEHTTP",
-         NULL},
+        {"ip6tables", "-w", "-t", "mangle", "-I", "PREROUTING", "-j",
+         "FAKEHTTP", NULL},
 
         /*
             exclude marked packets
diff --git a/src/ipv6nft.c b/src/ipv6nft.c
@@ -35,14 +35,8 @@ int fh_nft6_setup(void)
     char nft_conf_buff[2048];
     char *nft_conf_fmt =
         "table ip6 fakehttp {\n"
-        "    chain fh_input {\n"
-        "        type filter hook input priority mangle - 5;\n"
-        "        policy accept;\n"
-        "        jump fh_rules;\n"
-        "    }\n"
-        "\n"
-        "    chain fh_forward {\n"
-        "        type filter hook forward priority mangle - 5;\n"
+        "    chain fh_prerouting {\n"
+        "        type filter hook prerouting priority mangle - 5;\n"
         "        policy accept;\n"
         "        jump fh_rules;\n"
         "    }\n"
diff --git a/src/mainfun.c b/src/mainfun.c
@@ -249,13 +249,7 @@ int main(int argc, char *argv[])
     E("Home page: https://github.com/MikeWang000000/FakeHTTP");
     E("");
 
-    res = fh_rawsock_setup(AF_INET);
-    if (res < 0) {
-        EE(T(fh_rawsock_setup));
-        goto cleanup_logger;
-    }
-
-    res = fh_rawsock_setup(AF_INET6);
+    res = fh_rawsock_setup();
     if (res < 0) {
         EE(T(fh_rawsock_setup));
         goto cleanup_logger;
diff --git a/src/nfqueue.c b/src/nfqueue.c
@@ -29,6 +29,7 @@
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <sys/socket.h>
+#include <linux/if_packet.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <libnetfilter_queue/libnetfilter_queue.h>
@@ -71,17 +72,15 @@ static void ipaddr_to_str(struct sockaddr *addr, char ipstr[INET6_ADDRSTRLEN])
 }
 
 
-static int send_ack(struct sockaddr *saddr, struct sockaddr *daddr,
-                    uint16_t sport_be, uint16_t dport_be, uint32_t seq_be,
-                    uint32_t ackseq_be)
+static int send_ack(struct sockaddr_ll *sll, struct sockaddr *saddr,
+                    struct sockaddr *daddr, uint16_t sport_be,
+                    uint16_t dport_be, uint32_t seq_be, uint32_t ackseq_be)
 {
-    int pkt_len, addr_len, sock_fd;
+    int pkt_len;
     ssize_t nbytes;
     char pkt_buff[1024];
 
     if (daddr->sa_family == AF_INET) {
-        sock_fd = g_ctx.sock4fd;
-        addr_len = sizeof(struct sockaddr_in);
         pkt_len = fh_pkt4_make(pkt_buff, sizeof(pkt_buff), saddr, daddr,
                                sport_be, dport_be, seq_be, ackseq_be, 0, NULL,
                                0);
@@ -90,8 +89,6 @@ static int send_ack(struct sockaddr *saddr, struct sockaddr *daddr,
             return -1;
         }
     } else if (daddr->sa_family == AF_INET6) {
-        sock_fd = g_ctx.sock6fd;
-        addr_len = sizeof(struct sockaddr_in6);
         pkt_len = fh_pkt6_make(pkt_buff, sizeof(pkt_buff), saddr, daddr,
                                sport_be, dport_be, seq_be, ackseq_be, 0, NULL,
                                0);
@@ -104,7 +101,8 @@ static int send_ack(struct sockaddr *saddr, struct sockaddr *daddr,
         return -1;
     }
 
-    nbytes = sendto(sock_fd, pkt_buff, pkt_len, 0, daddr, addr_len);
+    nbytes = sendto(g_ctx.sockfd, pkt_buff, pkt_len, 0,
+                    (struct sockaddr *) sll, sizeof(*sll));
     if (nbytes < 0) {
         E("ERROR: sendto(): %s", strerror(errno));
         return -1;
@@ -114,16 +112,16 @@ static int send_ack(struct sockaddr *saddr, struct sockaddr *daddr,
 }
 
 
-static int send_http(struct sockaddr *saddr, struct sockaddr *daddr,
-                     uint16_t sport_be, uint16_t dport_be, uint32_t seq_be,
-                     uint32_t ackseq_be)
+static int send_http(struct sockaddr_ll *sll, struct sockaddr *saddr,
+                     struct sockaddr *daddr, uint16_t sport_be,
+                     uint16_t dport_be, uint32_t seq_be, uint32_t ackseq_be)
 {
     static const char *http_fmt = "GET / HTTP/1.1\r\n"
                                   "Host: %s\r\n"
                                   "Accept: */*\r\n"
                                   "\r\n";
 
-    int http_len, pkt_len, addr_len, sock_fd;
+    int http_len, pkt_len;
     ssize_t nbytes;
     char http_buff[512], pkt_buff[1024];
 
@@ -135,8 +133,6 @@ static int send_http(struct sockaddr *saddr, struct sockaddr *daddr,
     }
 
     if (daddr->sa_family == AF_INET) {
-        sock_fd = g_ctx.sock4fd;
-        addr_len = sizeof(struct sockaddr_in);
         pkt_len = fh_pkt4_make(pkt_buff, sizeof(pkt_buff), saddr, daddr,
                                sport_be, dport_be, seq_be, ackseq_be, 1,
                                http_buff, http_len);
@@ -145,8 +141,6 @@ static int send_http(struct sockaddr *saddr, struct sockaddr *daddr,
             return -1;
         }
     } else if (daddr->sa_family == AF_INET6) {
-        sock_fd = g_ctx.sock6fd;
-        addr_len = sizeof(struct sockaddr_in6);
         pkt_len = fh_pkt6_make(pkt_buff, sizeof(pkt_buff), saddr, daddr,
                                sport_be, dport_be, seq_be, ackseq_be, 1,
                                http_buff, http_len);
@@ -159,7 +153,8 @@ static int send_http(struct sockaddr *saddr, struct sockaddr *daddr,
         return -1;
     }
 
-    nbytes = sendto(sock_fd, pkt_buff, pkt_len, 0, daddr, addr_len);
+    nbytes = sendto(g_ctx.sockfd, pkt_buff, pkt_len, 0,
+                    (struct sockaddr *) sll, sizeof(*sll));
     if (nbytes < 0) {
         E("ERROR: sendto(): %s", strerror(errno));
         return -1;
@@ -172,7 +167,7 @@ static int send_http(struct sockaddr *saddr, struct sockaddr *daddr,
 static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
                     struct nfq_data *nfa, void *data)
 {
-    uint32_t pkt_id, ack_new;
+    uint32_t pkt_id, ifindex, ack_new;
     uint16_t ethertype;
     int res, i, pkt_len, tcp_payload_len;
     struct nfqnl_msg_packet_hdr *ph;
@@ -181,6 +176,8 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
     char src_ip[INET6_ADDRSTRLEN], dst_ip[INET6_ADDRSTRLEN];
     struct sockaddr_storage saddr_store, daddr_store;
     struct sockaddr *saddr, *daddr;
+    struct nfqnl_msg_packet_hw *hwph;
+    struct sockaddr_ll sll;
 
     (void) nfmsg;
     (void) data;
@@ -195,14 +192,27 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
     }
 
     pkt_id = ntohl(ph->packet_id);
-    ethertype = ntohs(ph->hw_protocol);
+
+    hwph = nfq_get_packet_hw(nfa);
+    if (!hwph) {
+        EE("ERROR: nfq_get_packet_hw(): %s", "failure");
+        goto ret_accept;
+    }
+
+    ifindex = nfq_get_indev(nfa);
+    if (!ifindex) {
+        EE("ERROR: nfq_get_indev(): %s", "failure");
+        goto ret_accept;
+    }
+
     pkt_data = NULL;
     pkt_len = nfq_get_payload(nfa, &pkt_data);
     if (pkt_len < 0 || !pkt_data) {
         EE("ERROR: nfq_get_payload(): %s", "failure");
         goto ret_accept;
     }
 
+    ethertype = ntohs(ph->hw_protocol);
     if (ethertype == ETHERTYPE_IP) {
         res = fh_pkt4_parse(pkt_data, pkt_len, saddr, daddr, &tcph,
                             &tcp_payload_len);
@@ -222,6 +232,13 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
         goto ret_accept;
     }
 
+    memset(&sll, 0, sizeof(sll));
+    sll.sll_family = AF_PACKET;
+    sll.sll_protocol = ph->hw_protocol;
+    sll.sll_ifindex = ifindex;
+    sll.sll_halen = sizeof(hwph->hw_addr);
+    memcpy(sll.sll_addr, hwph->hw_addr, sizeof(hwph->hw_addr));
+
     if (!g_ctx.silent) {
         ipaddr_to_str(saddr, src_ip);
         ipaddr_to_str(daddr, dst_ip);
@@ -240,7 +257,7 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
         ack_new = htonl(ack_new);
 
         for (i = 0; i < g_ctx.repeat; i++) {
-            res = send_ack(daddr, saddr, tcph->dest, tcph->source,
+            res = send_ack(&sll, daddr, saddr, tcph->dest, tcph->source,
                            tcph->ack_seq, ack_new);
             if (res < 0) {
                 EE(T(send_ack));
@@ -251,7 +268,7 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
                dst_ip, ntohs(tcph->dest));
 
         for (i = 0; i < g_ctx.repeat; i++) {
-            res = send_http(daddr, saddr, tcph->dest, tcph->source,
+            res = send_http(&sll, daddr, saddr, tcph->dest, tcph->source,
                             tcph->ack_seq, ack_new);
             if (res < 0) {
                 EE(T(send_http));
@@ -267,7 +284,7 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
                ntohs(tcph->dest));
 
         for (i = 0; i < g_ctx.repeat; i++) {
-            res = send_http(daddr, saddr, tcph->dest, tcph->source,
+            res = send_http(&sll, daddr, saddr, tcph->dest, tcph->source,
                             tcph->ack_seq, tcph->seq);
             if (res < 0) {
                 EE(T(send_http));
diff --git a/src/rawsock.c b/src/rawsock.c
@@ -24,17 +24,18 @@
 #include <string.h>
 #include <unistd.h>
 #include <arpa/inet.h>
+#include <net/ethernet.h>
 #include <sys/socket.h>
 
 #include "globvar.h"
 #include "logging.h"
 
-int fh_rawsock_setup(int af)
+int fh_rawsock_setup(void)
 {
     int res, opt, sock_fd;
     const char *err_hint;
 
-    sock_fd = socket(af, SOCK_RAW, IPPROTO_RAW);
+    sock_fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
     if (sock_fd < 0) {
         switch (errno) {
             case EPERM:
@@ -47,36 +48,6 @@ int fh_rawsock_setup(int af)
         return -1;
     }
 
-    res = setsockopt(sock_fd, SOL_SOCKET, SO_BINDTODEVICE, g_ctx.iface,
-                     strlen(g_ctx.iface));
-    if (res < 0) {
-        E("ERROR: setsockopt(): SO_BINDTODEVICE: %s", strerror(errno));
-        goto close_socket;
-    }
-
-    if (af == AF_INET6) {
-        opt = 1;
-        res = setsockopt(sock_fd, IPPROTO_IPV6, IPV6_HDRINCL, &opt,
-                         sizeof(opt));
-        if (res < 0 && errno != ENOPROTOOPT) {
-            /*
-                ENOPROTOOPT may occur when kernel version < 4.5.
-                However, on Linux, IPPROTO_RAW means the kernel will not add a
-                Layer 3 header, so it is safe to ignore this error.
-                See raw(7) for details.
-            */
-            E("ERROR: setsockopt(): IPV6_HDRINCL: %s", strerror(errno));
-            goto close_socket;
-        }
-    } else {
-        opt = 1;
-        res = setsockopt(sock_fd, IPPROTO_IP, IP_HDRINCL, &opt, sizeof(opt));
-        if (res < 0) {
-            E("ERROR: setsockopt(): IP_HDRINCL: %s", strerror(errno));
-            goto close_socket;
-        }
-    }
-
     res = setsockopt(sock_fd, SOL_SOCKET, SO_MARK, &g_ctx.fwmark,
                      sizeof(g_ctx.fwmark));
     if (res < 0) {
@@ -91,12 +62,19 @@ int fh_rawsock_setup(int af)
         goto close_socket;
     }
 
-    if (af == AF_INET6) {
-        g_ctx.sock6fd = sock_fd;
-    } else {
-        g_ctx.sock4fd = sock_fd;
+    /*
+        Set SO_RCVBUF to the minimum, since we never call recvfrom() on this
+        socket.
+    */
+    opt = 128;
+    res = setsockopt(sock_fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt));
+    if (res < 0) {
+        E("ERROR: setsockopt(): SO_PRIORITY: %s", strerror(errno));
+        goto close_socket;
     }
 
+    g_ctx.sockfd = sock_fd;
+
     return 0;
 
 close_socket:
@@ -108,13 +86,8 @@ int fh_rawsock_setup(int af)
 
 void fh_rawsock_cleanup(void)
 {
-    if (g_ctx.sock4fd >= 0) {
-        close(g_ctx.sock4fd);
-        g_ctx.sock4fd = -1;
-    }
-
-    if (g_ctx.sock6fd >= 0) {
-        close(g_ctx.sock6fd);
-        g_ctx.sock6fd = -1;
+    if (g_ctx.sockfd >= 0) {
+        close(g_ctx.sockfd);
+        g_ctx.sockfd = -1;
     }
 }
