fix: Ensure packet order

Author: MikeWang000000

src/ipv4ipt.c

@@ -172,9 +172,6 @@ int fh_ipt4_setup(void)
          "--tcp-flags", "SYN,FIN,RST", "SYN", "-j", "NFQUEUE",
          "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
 
-    E("ERROR: iptables rules is under development, please use nft.");
-    return -1;
-
     ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
 
     res = snprintf(xmark_str, sizeof(xmark_str), "%" PRIu32 "/%" PRIu32,

src/ipv6ipt.c

@@ -165,9 +165,6 @@ int fh_ipt6_setup(void)
          "--tcp-flags", "SYN,FIN,RST", "SYN", "-j", "NFQUEUE",
          "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
 
-    E("ERROR: iptables rules is under development, please use nft.");
-    return -1;
-
     ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
 
     res = snprintf(xmark_str, sizeof(xmark_str), "%" PRIu32 "/%" PRIu32,

src/nfqueue.c

@@ -47,7 +47,7 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
                     struct nfq_data *nfa, void *data)
 {
     uint32_t pkt_id, iifindex, oifindex;
-    int res, pkt_len, modified;
+    int verdict, pkt_len, modified;
     struct nfqnl_msg_packet_hdr *ph;
     unsigned char *pkt_data;
     struct nfqnl_msg_packet_hw *hwph;
@@ -98,16 +98,18 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
         memset(sll.sll_addr, 0, sizeof(sll.sll_addr));
     }
 
-    res = fh_rawsend_handle(&sll, pkt_data, pkt_len, &modified);
-    if (res < 0) {
+    verdict = fh_rawsend_handle(&sll, pkt_data, pkt_len, &modified);
+    if (verdict < 0) {
         EE(T(fh_rawsend_handle));
         goto ret_accept;
     }
 
-    if (modified) {
-        return nfq_set_verdict(qh, pkt_id, NF_ACCEPT, pkt_len, pkt_data);
+    if (modified && verdict != NF_DROP) {
+        return nfq_set_verdict(qh, pkt_id, verdict, pkt_len, pkt_data);
     }
 
+    return nfq_set_verdict(qh, pkt_id, verdict, 0, NULL);
+
 ret_accept:
     return nfq_set_verdict(qh, pkt_id, NF_ACCEPT, 0, NULL);
 }

src/rawsend.c

@@ -26,9 +26,11 @@
 #include <unistd.h>
 #include <arpa/inet.h>
 #include <net/ethernet.h>
+#include <net/if.h>
 #include <netinet/tcp.h>
 #include <sys/socket.h>
 #include <linux/if_packet.h>
+#include <linux/netfilter.h>
 #include <libnetfilter_queue/libnetfilter_queue_tcp.h>
 
 #include "globvar.h"
@@ -146,9 +148,69 @@ static int remove_tfo_cookie(uint16_t ethertype, uint8_t *pkt,
 }
 
 
+/*
+    This is a workaround for iptables since it does not allow us to intercept
+    packets after POSTROUTING SNAT, which means the SNATed source address is
+    unknown.
+    Instead of using an AF_PACKET socket, we create a temporary AF_INET or
+    AF_INET6 raw socket, so that the packet gets SNATed correctly.
+*/
+static int sendto_snat(struct sockaddr_ll *sll, struct sockaddr *daddr,
+                       uint8_t *pkt_buff, int pkt_len)
+{
+    int res, ret, sock_fd;
+    ssize_t nbytes;
+    char *iface, iface_buf[IF_NAMESIZE];
+
+    ret = -1;
+
+    iface = if_indextoname(sll->sll_ifindex, iface_buf);
+    if (!iface) {
+        E("ERROR: if_indextoname(): %s", strerror(errno));
+        return -1;
+    }
+
+    sock_fd = socket(daddr->sa_family, SOCK_RAW, IPPROTO_RAW);
+    if (sock_fd < 0) {
+        E("ERROR: socket(): %s", strerror(errno));
+        return -1;
+    }
+
+    res = setsockopt(sock_fd, SOL_SOCKET, SO_BINDTODEVICE, iface,
+                     strlen(iface));
+    if (res < 0) {
+        E("ERROR: setsockopt(): SO_BINDTODEVICE: %s", strerror(errno));
+        goto close_socket;
+    }
+
+    res = setsockopt(sock_fd, SOL_SOCKET, SO_MARK, &g_ctx.fwmark,
+                     sizeof(g_ctx.fwmark));
+    if (res < 0) {
+        E("ERROR: setsockopt(): SO_MARK: %s", strerror(errno));
+        goto close_socket;
+    }
+
+    nbytes = sendto(sock_fd, pkt_buff, pkt_len, 0, daddr,
+                    daddr->sa_family == AF_INET6 ? sizeof(struct sockaddr_in6)
+                                                 : sizeof(struct sockaddr_in));
+    if (nbytes < 0) {
+        E("ERROR: sendto(): %s", strerror(errno));
+        goto close_socket;
+    }
+
+    ret = nbytes;
+
+close_socket:
+    close(sock_fd);
+
+    return ret;
+}
+
+
 static int send_payload(struct sockaddr_ll *sll, struct sockaddr *saddr,
                         struct sockaddr *daddr, uint8_t ttl, uint16_t sport_be,
-                        uint16_t dport_be, uint32_t seq_be, uint32_t ackseq_be)
+                        uint16_t dport_be, uint32_t seq_be, uint32_t ackseq_be,
+                        int need_snat)
 {
     int pkt_len;
     ssize_t nbytes;
@@ -175,11 +237,19 @@ static int send_payload(struct sockaddr_ll *sll, struct sockaddr *saddr,
         return -1;
     }
 
-    nbytes = sendto(sockfd, pkt_buff, pkt_len, 0, (struct sockaddr *) sll,
-                    sizeof(*sll));
-    if (nbytes < 0) {
-        E("ERROR: sendto(): %s", strerror(errno));
-        return -1;
+    if (need_snat) {
+        nbytes = sendto_snat(sll, daddr, pkt_buff, pkt_len);
+        if (nbytes < 0) {
+            E(T(sendto_snat));
+            return -1;
+        }
+    } else {
+        nbytes = sendto(sockfd, pkt_buff, pkt_len, 0, (struct sockaddr *) sll,
+                        sizeof(*sll));
+        if (nbytes < 0) {
+            E("ERROR: sendto(): %s", strerror(errno));
+            return -1;
+        }
     }
 
     return 0;
@@ -258,6 +328,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
     char src_ip[INET6_ADDRSTRLEN], dst_ip[INET6_ADDRSTRLEN];
     struct sockaddr_storage saddr_store, daddr_store;
     struct sockaddr *saddr, *daddr;
+    ssize_t nbytes;
 
     *modified = 0;
 
@@ -292,14 +363,14 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
     if (tcp_payload_len > 0) {
         E_INFO("%s:%u ===PAYLOAD(?)===> %s:%u", src_ip, ntohs(tcph->source),
                dst_ip, ntohs(tcph->dest));
-        return 0;
+        return NF_ACCEPT;
     } else if (sll->sll_pkttype == PACKET_HOST && tcph->syn && tcph->ack) {
         sll->sll_pkttype = 0;
 
         if (!g_ctx.outbound) {
             E_INFO("%s:%u ===SYN-ACK(?)===> %s:%u", src_ip,
                    ntohs(tcph->source), dst_ip, ntohs(tcph->dest));
-            return 0;
+            return NF_ACCEPT;
         }
 
         E_INFO("%s:%u ===SYN-ACK===> %s:%u", src_ip, ntohs(tcph->source),
@@ -316,7 +387,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
             if (hop <= g_ctx.ttl) {
                 E_INFO("%s:%u ===LOCAL(?)===> %s:%u", src_ip,
                        ntohs(tcph->source), dst_ip, ntohs(tcph->dest));
-                return 0;
+                return NF_ACCEPT;
             }
             snd_ttl = calc_snd_ttl(hop);
         }
@@ -325,7 +396,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
 
         for (i = 0; i < g_ctx.repeat; i++) {
             res = send_payload(sll, daddr, saddr, snd_ttl, tcph->dest,
-                               tcph->source, tcph->ack_seq, ack_new);
+                               tcph->source, tcph->ack_seq, ack_new, 0);
             if (res < 0) {
                 E(T(send_payload));
                 return -1;
@@ -334,7 +405,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
         E_INFO("%s:%u <===FAKE(*)=== %s:%u", src_ip, ntohs(tcph->source),
                dst_ip, ntohs(tcph->dest));
 
-        return 0;
+        return NF_ACCEPT;
     } else if (sll->sll_pkttype == PACKET_OUTGOING && tcph->syn && tcph->ack) {
         sll->sll_pkttype = 0;
 
@@ -343,12 +414,9 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
         if (!g_ctx.inbound || srcinfo_unavail) {
             E_INFO("%s:%u <===SYN-ACK(?)=== %s:%u", dst_ip, ntohs(tcph->dest),
                    src_ip, ntohs(tcph->source));
-            return 0;
+            return NF_ACCEPT;
         }
 
-        E_INFO("%s:%u <===SYN-ACK=== %s:%u", dst_ip, ntohs(tcph->dest), src_ip,
-               ntohs(tcph->source));
-
         seq_new = ntohl(tcph->seq);
         seq_new++;
         seq_new = htonl(seq_new);
@@ -360,7 +428,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
             if (hop <= g_ctx.ttl) {
                 E_INFO("%s:%u <===LOCAL(?)=== %s:%u", src_ip,
                        ntohs(tcph->source), dst_ip, ntohs(tcph->dest));
-                return 0;
+                return NF_ACCEPT;
             }
             snd_ttl = calc_snd_ttl(hop);
         }
@@ -369,7 +437,8 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
 
         for (i = 0; i < g_ctx.repeat; i++) {
             res = send_payload(sll, saddr, daddr, snd_ttl, tcph->source,
-                               tcph->dest, seq_new, tcph->ack_seq);
+                               tcph->dest, seq_new, tcph->ack_seq,
+                               g_ctx.use_iptables /* needs SNAT */);
             if (res < 0) {
                 E(T(send_payload));
                 return -1;
@@ -378,12 +447,37 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
         E_INFO("%s:%u <===FAKE(*)=== %s:%u", dst_ip, ntohs(tcph->dest), src_ip,
                ntohs(tcph->source));
 
-        return 0;
+        /*
+            We send the original packet using a raw socket and discard the
+            current processing flow.
+            This ensures that the SYN-ACK is transmitted after the payload.
+            Although this deliberately causes a TCP out-of-order situation,
+            it guarantees that our payload is always sent before the client's
+            packet.
+        */
+        if (g_ctx.use_iptables) {
+            nbytes = sendto_snat(sll, daddr, pkt_data, pkt_len);
+            if (nbytes < 0) {
+                E(T(sendto_snat));
+                return -1;
+            }
+        } else {
+            nbytes = sendto(sockfd, pkt_data, pkt_len, 0,
+                            (struct sockaddr *) sll, sizeof(*sll));
+            if (nbytes < 0) {
+                E("ERROR: sendto(): %s", strerror(errno));
+                return -1;
+            }
+        }
+
+        E_INFO("%s:%u <===SYN-ACK=== %s:%u", dst_ip, ntohs(tcph->dest), src_ip,
+               ntohs(tcph->source));
+        return NF_DROP;
     } else if (sll->sll_pkttype == PACKET_HOST && tcph->syn) {
         if (!g_ctx.inbound) {
             E_INFO("%s:%u ===SYN(?)===> %s:%u", src_ip, ntohs(tcph->source),
                    dst_ip, ntohs(tcph->dest));
-            return 0;
+            return NF_ACCEPT;
         }
 
         *modified = !remove_tfo_cookie(ethertype, pkt_data, tcph);
@@ -401,12 +495,12 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
             return -1;
         }
 
-        return 0;
+        return NF_ACCEPT;
     } else if (sll->sll_pkttype == PACKET_OUTGOING && tcph->syn) {
         if (!g_ctx.outbound) {
             E_INFO("%s:%u <===SYN(?)=== %s:%u", dst_ip, ntohs(tcph->dest),
                    src_ip, ntohs(tcph->source));
-            return 0;
+            return NF_ACCEPT;
         }
 
         *modified = !remove_tfo_cookie(ethertype, pkt_data, tcph);
@@ -418,10 +512,10 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
                    ntohs(tcph->source));
         }
 
-        return 0;
+        return NF_ACCEPT;
     } else {
         E_INFO("%s:%u ===(?)=== %s:%u", src_ip, ntohs(tcph->source), dst_ip,
                ntohs(tcph->dest));
-        return 0;
+        return NF_ACCEPT;
     }
 }