@@ -177,25 +177,28 @@ static int execute_command(char **argv, int silent)
177177 execvp (argv [0 ], argv );
178178
179179 E ("ERROR: execvp(): %s" , strerror (errno ));
180- fprintf (stderr , "failed to execute: %s" , argv [0 ]);
181- for (i = 1 ; argv [i ]; i ++ ) {
182- fprintf (stderr , " %s" , argv [i ]);
183- }
184- fputc ('\n' , stderr );
185- fflush (stderr );
186180
187181 _exit (EXIT_FAILURE );
188182 }
189183
190184 if (waitpid (pid , & status , 0 ) < 0 ) {
191185 E ("ERROR: waitpid(): %s" , strerror (errno ));
192- return -1 ;
186+ goto child_failed ;
193187 }
194188
195189 if (WIFEXITED (status ) && WEXITSTATUS (status ) == 0 ) {
196190 return 0 ;
197191 }
198192
193+ child_failed :
194+ if (!silent ) {
195+ fprintf (stderr , "failed command is: %s" , argv [0 ]);
196+ for (i = 1 ; argv [i ]; i ++ ) {
197+ fprintf (stderr , " %s" , argv [i ]);
198+ }
199+ fputc ('\n' , stderr );
200+ }
201+
199202 return -1 ;
200203}
201204
@@ -204,10 +207,15 @@ static void ipt_rules_cleanup(void)
204207{
205208 size_t i , ipt_cmds_cnt ;
206209 char * ipt_cmds [][32 ] = {
207- {"iptables" , "-t" , "mangle" , "-F" , "FAKEHTTP" , NULL },
208- {"iptables" , "-t" , "mangle" , "-D" , "INPUT" , "-j" , "FAKEHTTP" , NULL },
209- {"iptables" , "-t" , "mangle" , "-D" , "FORWARD" , "-j" , "FAKEHTTP" , NULL },
210- {"iptables" , "-t" , "mangle" , "-X" , "FAKEHTTP" , NULL }};
210+ {"iptables" , "-w" , "-t" , "mangle" , "-F" , "FAKEHTTP" , NULL },
211+
212+ {"iptables" , "-w" , "-t" , "mangle" , "-D" , "INPUT" , "-j" , "FAKEHTTP" ,
213+ NULL },
214+
215+ {"iptables" , "-w" , "-t" , "mangle" , "-D" , "FORWARD" , "-j" , "FAKEHTTP" ,
216+ NULL },
217+
218+ {"iptables" , "-w" , "-t" , "mangle" , "-X" , "FAKEHTTP" , NULL }};
211219
212220 ipt_cmds_cnt = sizeof (ipt_cmds ) / sizeof (* ipt_cmds );
213221
@@ -223,55 +231,72 @@ static int ipt_rules_setup(void)
223231 size_t i , ipt_cmds_cnt ;
224232 int res ;
225233 char * ipt_cmds [][32 ] = {
226- {"iptables" , "-t" , "mangle" , "-N" , "FAKEHTTP" , NULL },
227- {"iptables" , "-t" , "mangle" , "-I" , "INPUT" , "-j" , "FAKEHTTP" , NULL },
228- {"iptables" , "-t" , "mangle" , "-I" , "FORWARD" , "-j" , "FAKEHTTP" , NULL },
234+ {"iptables" , "-w" , "-t" , "mangle" , "-N" , "FAKEHTTP" , NULL },
235+
236+ {"iptables" , "-w" , "-t" , "mangle" , "-I" , "INPUT" , "-j" , "FAKEHTTP" ,
237+ NULL },
238+
239+ {"iptables" , "-w" , "-t" , "mangle" , "-I" , "FORWARD" , "-j" , "FAKEHTTP" ,
240+ NULL },
241+
242+ /*
243+ exclude big packets
244+ */
245+ {"iptables" , "-w" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-m" , "length" ,
246+ "!" , "--length" , "0:120" , "-j" , "RETURN" , NULL },
247+
248+ /*
249+ exclude packets from connections with more than 32 packets
250+ */
251+ {"iptables" , "-w" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-m" , "connbytes" ,
252+ "!" , "--connbytes" , "0:32" , "--connbytes-dir" , "both" ,
253+ "--connbytes-mode" , "packets" , "-j" , "RETURN" , NULL },
229254
230255 /*
231256 exclude marked packets
232257 */
233- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-m" , "mark" , "-- mark"
234- fwmark_str , "-j" , "CONNMARK" , "--save-mark" , NULL },
258+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-m" , "mark" ,
259+ "--mark" , fwmark_str , "-j" , "CONNMARK" , "--save-mark" , NULL },
235260
236- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-m" , "connmark" ,
261+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-m" , "connmark" ,
237262 "--mark" , fwmark_str , "-j" , "CONNMARK" , "--restore-mark" , NULL },
238263
239- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-m" , "mark" , "-- mark"
240- fwmark_str , "-j" , "RETURN" , NULL },
264+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-m" , "mark" ,
265+ "--mark" , fwmark_str , "-j" , "RETURN" , NULL },
241266
242267 /*
243268 exclude local IPs
244269 */
245- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "0.0.0.0/8" , "-j" ,
246- "RETURN" , NULL },
247-
248- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "10.0.0.0/8" ,
270+ {"iptables" , "-w" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "0.0.0.0/8" ,
249271 "-j" , "RETURN" , NULL },
250272
251- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "100.64.0.0/10 "
252- "-j" , "RETURN" , NULL },
273+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-s" ,
274+ "10.0.0.0/8" , " -j""RETURN" , NULL },
253275
254- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "127.0.0.0/8 "
255- "-j" , "RETURN" , NULL },
276+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-s" ,
277+ "100.64.0.0/10" , " -j""RETURN" , NULL },
256278
257- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "169.254.0.0/16 "
258- "-j" , "RETURN" , NULL },
279+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-s" ,
280+ "127.0.0.0/8" , " -j""RETURN" , NULL },
259281
260- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "172.16.0.0/12 "
261- "-j" , "RETURN" , NULL },
282+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-s" ,
283+ "169.254.0.0/16" , " -j""RETURN" , NULL },
262284
263- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "192.168.0.0/16 "
264- "-j" , "RETURN" , NULL },
285+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-s" ,
286+ "172.16.0.0/12" , " -j""RETURN" , NULL },
265287
266- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" , "224.0.0.0/3" ,
267- "-j" , "RETURN" , NULL },
288+ {"iptables" , "-w" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" ,
289+ "192.168.0.0/16" , "-j" , "RETURN" , NULL },
290+
291+ {"iptables" , "-w" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-s" ,
292+ "224.0.0.0/3" , "-j" , "RETURN" , NULL },
268293
269294 /*
270295 send to nfqueue
271296 */
272- {"iptables" , "-t" , "mangle" , "-A" , "FAKEHTTP" , "-i" , iface_str , "-p" ,
273- "tcp" , "--tcp-flags" , "ACK,FIN,RST" , "ACK" , "-j" , "NFQUEUE" ,
274- "--queue-num" , nfqnum_str , NULL }};
297+ {"iptables" , "-w" , "- t""mangle" , "-A" , "FAKEHTTP" , "-i" , iface_str ,
298+ "-p" , " tcp""--tcp-flags" , "ACK,FIN,RST" , "ACK" , "-j" , "NFQUEUE" ,
299+ "--queue-bypass" , "--queue- num"nfqnum_str , NULL }};
275300
276301 ipt_cmds_cnt = sizeof (ipt_cmds ) / sizeof (* ipt_cmds );
277302
@@ -555,7 +580,11 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
555580
556581 tcp_payload_len = pkt_len - iph_len - tcph_len ;
557582
558- if (tcph -> syn && tcph -> ack ) {
583+ if (tcp_payload_len > 0 ) {
584+ E ("%s:%u ===PAYLOAD(?)===> %s:%u" , src_ip , ntohs (tcph -> source ), dst_ip ,
585+ ntohs (tcph -> dest ));
586+ goto ret_mark_repeat ;
587+ } else if (tcph -> syn && tcph -> ack ) {
559588 E ("%s:%u ===SYN-ACK===> %s:%u" , src_ip , ntohs (tcph -> source ), dst_ip ,
560589 ntohs (tcph -> dest ));
561590
@@ -585,8 +614,6 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
585614 E ("%s:%u <===HTTP(*)=== %s:%u" , src_ip , ntohs (tcph -> source ), dst_ip ,
586615 ntohs (tcph -> dest ));
587616
588- goto ret_mark_repeat ;
589- } else if (tcp_payload_len > 0 ) {
590617 goto ret_mark_repeat ;
591618 } else if (tcph -> ack ) {
592619 E ("%s:%u ===ACK===> %s:%u" , src_ip , ntohs (tcph -> source ), dst_ip ,
@@ -600,12 +627,13 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
600627 goto ret_accept ;
601628 }
602629 }
603- E ("(*) %s:%u <===HTTP(*)=== %s:%u" , src_ip , ntohs (tcph -> source ),
630+ E ("%s:%u <===HTTP(*)=== %s:%u" , src_ip , ntohs (tcph -> source ),
604631 dst_ip , ntohs (tcph -> dest ));
605632
606- goto ret_accept ;
633+ goto ret_mark_repeat ;
607634 } else {
608- E ("WARNING: unexpected TCP packet (ignored)" );
635+ E ("%s:%u ===(?)===> %s:%u" , src_ip , ntohs (tcph -> source ), dst_ip ,
636+ ntohs (tcph -> dest ));
609637 goto ret_accept ;
610638 }
611639
0 commit comments