Skip to content

Commit b58e208

Browse files
MikeWang000000MikeWang000000
committed
feat: Send payload early for incoming TCP connection & Remove TFO Cookie
1 parent b48f06e commit b58e208

File tree

10 files changed

+616
-152
lines changed

10 files changed

+616
-152
lines changed

include/rawsend.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ int fh_rawsend_setup(void);
2727

2828
void fh_rawsend_cleanup(void);
2929

30-
int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len);
30+
int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
31+
int *modified);
3132

3233
#endif /* FH_RAWSEND_H */

include/srcinfo.h

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
/*
2+
* srcinfo.h - FakeHTTP: https://github.com/MikeWang000000/FakeHTTP
3+
*
4+
* Copyright (C) 2025 MikeWang000000
5+
*
6+
* This program is free software: you can redistribute it and/or modify
7+
* it under the terms of the GNU General Public License as published by
8+
* the Free Software Foundation, either version 3 of the License, or
9+
* (at your option) any later version.
10+
*
11+
* This program is distributed in the hope that it will be useful,
12+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14+
* GNU General Public License for more details.
15+
*
16+
* You should have received a copy of the GNU General Public License
17+
* along with this program. If not, see <https://www.gnu.org/licenses/>.
18+
*/
19+
20+
#ifndef FH_SRCINFO_H
21+
#define FH_SRCINFO_H
22+
23+
#include <stdint.h>
24+
#include <sys/socket.h>
25+
26+
int fh_srcinfo_setup(void);
27+
28+
void fh_srcinfo_cleanup(void);
29+
30+
int fh_srcinfo_put(struct sockaddr *addr, uint8_t ttl, uint8_t hwaddr[8]);
31+
32+
int fh_srcinfo_get(struct sockaddr *addr, uint8_t *ttl, uint8_t hwaddr[8]);
33+
34+
#endif /* FH_SRCINFO_H */

src/ipv4ipt.c

Lines changed: 88 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -33,15 +33,29 @@ static int ipt4_iface_setup(void)
3333
char iface_str[IFNAMSIZ];
3434
size_t i;
3535
int res;
36-
char *ipt_alliface_cmd[] = {"iptables", "-w", "-t", "mangle", "-A",
37-
"FAKEHTTP", "-j", "FAKEHTTP_R", NULL};
36+
char *ipt_alliface_src_cmd[] = {"iptables", "-w", "-t",
37+
"mangle", "-A", "FAKEHTTP_S",
38+
"-j", "FAKEHTTP_R", NULL};
3839

39-
char *ipt_iface_cmd[] = {"iptables", "-w", "-t", "mangle",
40-
"-A", "FAKEHTTP", "-i", iface_str,
41-
"-j", "FAKEHTTP_R", NULL};
40+
char *ipt_alliface_dst_cmd[] = {"iptables", "-w", "-t",
41+
"mangle", "-A", "FAKEHTTP_D",
42+
"-j", "FAKEHTTP_R", NULL};
43+
44+
char *ipt_iface_src_cmd[] = {"iptables", "-w", "-t", "mangle",
45+
"-A", "FAKEHTTP_S", "-i", iface_str,
46+
"-j", "FAKEHTTP_R", NULL};
47+
48+
char *ipt_iface_dst_cmd[] = {"iptables", "-w", "-t", "mangle",
49+
"-A", "FAKEHTTP_D", "-o", iface_str,
50+
"-j", "FAKEHTTP_R", NULL};
4251

4352
if (g_ctx.alliface) {
44-
res = fh_execute_command(ipt_alliface_cmd, 0, NULL);
53+
res = fh_execute_command(ipt_alliface_src_cmd, 0, NULL);
54+
if (res < 0) {
55+
E(T(fh_execute_command));
56+
return -1;
57+
}
58+
res = fh_execute_command(ipt_alliface_dst_cmd, 0, NULL);
4559
if (res < 0) {
4660
E(T(fh_execute_command));
4761
return -1;
@@ -56,7 +70,13 @@ static int ipt4_iface_setup(void)
5670
return -1;
5771
}
5872

59-
res = fh_execute_command(ipt_iface_cmd, 0, NULL);
73+
res = fh_execute_command(ipt_iface_src_cmd, 0, NULL);
74+
if (res < 0) {
75+
E(T(fh_execute_command));
76+
return -1;
77+
}
78+
79+
res = fh_execute_command(ipt_iface_dst_cmd, 0, NULL);
6080
if (res < 0) {
6181
E(T(fh_execute_command));
6282
return -1;
@@ -72,59 +92,91 @@ int fh_ipt4_setup(void)
7292
size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
7393
int res;
7494
char *ipt_cmds[][32] = {
75-
{"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
95+
{"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP_S", NULL},
96+
97+
{"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP_D", NULL},
7698

7799
{"iptables", "-w", "-t", "mangle", "-I", "PREROUTING", "-j",
78-
"FAKEHTTP", NULL},
100+
"FAKEHTTP_S", NULL},
101+
102+
{"iptables", "-w", "-t", "mangle", "-I", "POSTROUTING", "-j",
103+
"FAKEHTTP_D", NULL},
79104

80105
{"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP_R", NULL},
81106

82107
/*
83-
exclude marked packets
108+
exclude local IPs (from source)
84109
*/
85-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
86-
"--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
87-
NULL},
110+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
111+
"0.0.0.0/8", "-j", "RETURN", NULL},
88112

89-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m",
90-
"connmark", "--mark", xmark_str, "-j", "MARK", "--set-xmark",
91-
xmark_str, NULL},
113+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
114+
"10.0.0.0/8", "-j", "RETURN", NULL},
92115

93-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
94-
"--mark", xmark_str, "-j", "RETURN", NULL},
116+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
117+
"100.64.0.0/10", "-j", "RETURN", NULL},
118+
119+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
120+
"127.0.0.0/8", "-j", "RETURN", NULL},
121+
122+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
123+
"169.254.0.0/16", "-j", "RETURN", NULL},
124+
125+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
126+
"172.16.0.0/12", "-j", "RETURN", NULL},
127+
128+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
129+
"192.168.0.0/16", "-j", "RETURN", NULL},
130+
131+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
132+
"224.0.0.0/3", "-j", "RETURN", NULL},
95133

96134
/*
97-
exclude local IPs
135+
exclude local IPs (to destination)
98136
*/
99-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
137+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
100138
"0.0.0.0/8", "-j", "RETURN", NULL},
101139

102-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
140+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
103141
"10.0.0.0/8", "-j", "RETURN", NULL},
104142

105-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
143+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
106144
"100.64.0.0/10", "-j", "RETURN", NULL},
107145

108-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
146+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
109147
"127.0.0.0/8", "-j", "RETURN", NULL},
110148

111-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
149+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
112150
"169.254.0.0/16", "-j", "RETURN", NULL},
113151

114-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
152+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
115153
"172.16.0.0/12", "-j", "RETURN", NULL},
116154

117-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
155+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
118156
"192.168.0.0/16", "-j", "RETURN", NULL},
119157

120-
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
158+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_D", "-d",
121159
"224.0.0.0/3", "-j", "RETURN", NULL},
122160

161+
/*
162+
exclude marked packets
163+
*/
164+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
165+
"--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
166+
NULL},
167+
168+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m",
169+
"connmark", "--mark", xmark_str, "-j", "MARK", "--set-xmark",
170+
xmark_str, NULL},
171+
172+
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
173+
"--mark", xmark_str, "-j", "RETURN", NULL},
174+
123175
/*
124176
send to nfqueue
125177
*/
126178
{"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-p", "tcp",
127-
"--tcp-flags", "ACK,FIN,RST", "ACK", "-j", "NFQUEUE",
179+
"--tcp-flags", "SYN,FIN,RST", "SYN", "-j", "NFQUEUE",
128180
"--queue-bypass", "--queue-num", nfqnum_str, NULL}};
129181

130182
char *ipt_opt_cmds[][32] = {
@@ -187,26 +239,21 @@ void fh_ipt4_cleanup(void)
187239
char *ipt_cmds[][32] = {
188240
{"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP_R", NULL},
189241

190-
{"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP", NULL},
191-
192-
{"iptables", "-w", "-t", "mangle", "-D", "PREROUTING", "-j",
193-
"FAKEHTTP", NULL},
194-
195-
{"iptables", "-w", "-t", "mangle", "-D", "INPUT", "-j", "FAKEHTTP",
196-
NULL},
242+
{"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP_S", NULL},
197243

198-
{"iptables", "-w", "-t", "mangle", "-D", "FORWARD", "-j", "FAKEHTTP",
199-
NULL},
244+
{"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP_D", NULL},
200245

201-
{"iptables", "-w", "-t", "mangle", "-D", "OUTPUT", "-j", "FAKEHTTP",
202-
NULL},
246+
{"iptables", "-w", "-t", "mangle", "-D", "PREROUTING", "-j",
247+
"FAKEHTTP_S", NULL},
203248

204249
{"iptables", "-w", "-t", "mangle", "-D", "POSTROUTING", "-j",
205-
"FAKEHTTP", NULL},
250+
"FAKEHTTP_D", NULL},
206251

207252
{"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP_R", NULL},
208253

209-
{"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP", NULL}};
254+
{"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP_S", NULL},
255+
256+
{"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP_D", NULL}};
210257

211258
cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
212259
for (i = 0; i < cnt; i++) {

src/ipv4nft.c

Lines changed: 41 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,20 @@ static int nft4_iface_setup(void)
5959
E("ERROR: snprintf(): %s", "failure");
6060
return -1;
6161
}
62+
res = fh_execute_command(nft_iface_cmd, 0, NULL);
63+
if (res < 0) {
64+
E(T(fh_execute_command));
65+
return -1;
66+
}
6267

68+
res = snprintf(
69+
nftstr, sizeof(nftstr),
70+
"add rule ip fakehttp fh_postrouting oifname \"%s\" jump fh_rules",
71+
g_ctx.iface[i]);
72+
if (res < 0 || (size_t) res >= sizeof(nftstr)) {
73+
E("ERROR: snprintf(): %s", "failure");
74+
return -1;
75+
}
6376
res = fh_execute_command(nft_iface_cmd, 0, NULL);
6477
if (res < 0) {
6578
E(T(fh_execute_command));
@@ -81,6 +94,33 @@ int fh_nft4_setup(void)
8194
" chain fh_prerouting {\n"
8295
" type filter hook prerouting priority mangle - 5;\n"
8396
" policy accept;\n"
97+
/*
98+
exclude local IPs
99+
*/
100+
" ip saddr 0.0.0.0/8 return;\n"
101+
" ip saddr 10.0.0.0/8 return;\n"
102+
" ip saddr 100.64.0.0/10 return;\n"
103+
" ip saddr 127.0.0.0/8 return;\n"
104+
" ip saddr 169.254.0.0/16 return;\n"
105+
" ip saddr 172.16.0.0/12 return;\n"
106+
" ip saddr 192.168.0.0/16 return;\n"
107+
" ip saddr 224.0.0.0/3 return;\n"
108+
" }\n"
109+
"\n"
110+
" chain fh_postrouting {\n"
111+
" type filter hook postrouting priority mangle - 5;\n"
112+
" policy accept;\n"
113+
/*
114+
exclude local IPs
115+
*/
116+
" ip daddr 0.0.0.0/8 return;\n"
117+
" ip daddr 10.0.0.0/8 return;\n"
118+
" ip daddr 100.64.0.0/10 return;\n"
119+
" ip daddr 127.0.0.0/8 return;\n"
120+
" ip daddr 169.254.0.0/16 return;\n"
121+
" ip daddr 172.16.0.0/12 return;\n"
122+
" ip daddr 192.168.0.0/16 return;\n"
123+
" ip daddr 224.0.0.0/3 return;\n"
84124
" }\n"
85125
"\n"
86126
" chain fh_rules {\n"
@@ -96,22 +136,10 @@ int fh_nft4_setup(void)
96136

97137
" meta mark and %" PRIu32 " == %" PRIu32 " return;\n"
98138

99-
/*
100-
exclude local IPs
101-
*/
102-
" ip saddr 0.0.0.0/8 return;\n"
103-
" ip saddr 10.0.0.0/8 return;\n"
104-
" ip saddr 100.64.0.0/10 return;\n"
105-
" ip saddr 127.0.0.0/8 return;\n"
106-
" ip saddr 169.254.0.0/16 return;\n"
107-
" ip saddr 172.16.0.0/12 return;\n"
108-
" ip saddr 192.168.0.0/16 return;\n"
109-
" ip saddr 224.0.0.0/3 return;\n"
110-
111139
/*
112140
send to nfqueue
113141
*/
114-
" tcp flags & (fin | rst | ack) == ack queue num %" PRIu32
142+
" tcp flags & (syn | fin | rst) == syn queue num %" PRIu32
115143
" bypass;\n"
116144

117145
" }\n"

0 commit comments

Comments
 (0)