klavirshik
/
GoodbyeDPI
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: klavirshik:0.1.7
Branches Tags
klavirshik:master
klavirshik:quic_block
klavirshik:test_windres
klavirshik:openvpn
klavirshik:windivert2
klavirshik:masterv6
klavirshik:ipv6
klavirshik:windivert-test
klavirshik:0.2.3rc1
klavirshik:0.2.2
klavirshik:0.2.1
klavirshik:0.2.0
klavirshik:0.1.8
klavirshik:0.1.7
klavirshik:0.1.6
klavirshik:0.1.5
klavirshik:0.1.5rc3
klavirshik:0.1.5rc2
klavirshik:0.1.5rc1
klavirshik:0.1.4
klavirshik:0.1.3
klavirshik:0.1.2
klavirshik:0.1.2rc3
klavirshik:0.1.2rc2
klavirshik:0.1.2rc1
klavirshik:0.1.1
klavirshik:0.1.0
klavirshik:0.0.9
klavirshik:0.0.8
klavirshik:0.0.7
klavirshik:0.0.6
klavirshik:0.0.5
klavirshik:0.0.4
klavirshik:0.0.3
klavirshik:0.0.2
klavirshik:0.0.1
...
compare: klavirshik:master
Branches Tags
klavirshik:master
klavirshik:quic_block
klavirshik:test_windres
klavirshik:openvpn
klavirshik:windivert2
klavirshik:masterv6
klavirshik:ipv6
klavirshik:windivert-test
klavirshik:0.2.3rc1
klavirshik:0.2.2
klavirshik:0.2.1
klavirshik:0.2.0
klavirshik:0.1.8
klavirshik:0.1.7
klavirshik:0.1.6
klavirshik:0.1.5
klavirshik:0.1.5rc3
klavirshik:0.1.5rc2
klavirshik:0.1.5rc1
klavirshik:0.1.4
klavirshik:0.1.3
klavirshik:0.1.2
klavirshik:0.1.2rc3
klavirshik:0.1.2rc2
klavirshik:0.1.2rc1
klavirshik:0.1.1
klavirshik:0.1.0
klavirshik:0.0.9
klavirshik:0.0.8
klavirshik:0.0.7
klavirshik:0.0.6
klavirshik:0.0.5
klavirshik:0.0.4
klavirshik:0.0.3
klavirshik:0.0.2
klavirshik:0.0.1

85 Commits
0.1.7 ... master

Author SHA1 Message Date
ValdikSS d9bf7c3ccd
Update bug.yml 2024-08-01 10:41:07 +03:00
ValdikSS ad18fb9854
Merge pull request #383 from mdashlw/patch-1 
Update README.md
 2024-07-31 15:18:17 +03:00
mdashlw bc82203364
Update README.md 2024-07-31 20:13:32 +08:00
ValdikSS a1fb62ff82
Merge pull request #379 from eltociear/patch-1 
chore: update README.md
 2024-07-28 22:51:17 +03:00
Ikko Eltociear Ashimine 46e6c8f2db
chore: update README.md 
resover -> resolver
 2024-07-29 00:50:56 +09:00
ValdikSS 905d3c98a6 Revert "Add Unicorn HTTPS for iOS": doesn't do anything 
This reverts commit 95c5ca81b2.
 2024-07-26 03:44:16 +03:00
ValdikSS b08836de50 Use WinDivert 2.2.0-D for Windows 7 compatibility 2024-07-25 00:51:47 +03:00
ValdikSS cf1f2a8674 Actions: use $GITHUB_OUTPUT instead of ::set-output 2024-07-23 07:14:35 +03:00
ValdikSS 16464646a9 Use WinDivert 2.2.2 2024-07-23 07:11:47 +03:00
ValdikSS ba015cf44e Update Github Actions "actions" to newest versions 2024-07-23 07:11:18 +03:00
ValdikSS 3837635f2c Use non-prefixed windres for msys2. #372 2024-07-23 07:04:08 +03:00
ValdikSS 95c5ca81b2 Add Unicorn HTTPS for iOS 2024-05-31 03:18:56 +03:00
ValdikSS bbb7e4cea8 Add ByeDPI 2024-05-30 22:41:46 +03:00
ValdikSS 15eb10ac68 Fragment packet by the beginning of SNI value. #357 
It has been reported that the DPI systems in Saudi Arabia and
United Arab Emirates are started to search for the beginning of
SNI extension header and its value, without parsing the TLS ClientHello
packet, in any part of TCP session.

Workaround the issue by splitting the packet right after the end
of extension headers and before its value.

https://ntc.party/t/goodbyedpi-in-saudi-arabia/7884
https://ntc.party/t/goodbyedpi-in-uae/7914
 2024-05-30 22:16:14 +03:00
ValdikSS 4c846c712d Handle TLSv1.2 record version handshakes (16 03 03). #353 2024-05-30 21:02:16 +03:00
ValdikSS 4a82fd442d Add manual Github Action trigger 2023-03-29 13:38:48 +03:00
ValdikSS b3c9ff8419
Merge pull request #270 from mohadangKim/master 
fix memcpy usage
 2022-08-06 15:06:14 +03:00
ValdikSS fc6fd98a62 Merge branch 'VladWinner-master' 2022-08-06 14:52:15 +03:00
ValdikSS 6304328548 Merge branch 'master' of https://github.com/VladWinner/GoodbyeDPI into VladWinner-master 2022-08-06 14:52:02 +03:00
ValdikSS 86867fe678 Add GhosTCP by macronut to the list of alternative projects 2022-08-06 14:46:00 +03:00
mohadangKim 54349a1c31 fix memcpy usage 2022-07-01 22:12:55 +09:00
ValdikSS 4f18a73239 Print correct set-ttl/auto-ttl mode in the status 2022-03-31 12:15:40 +03:00
ValdikSS 67629fb6ef Disable auto-ttl if set-ttl has been used after auto-ttl 2022-03-31 12:14:03 +03:00
ValdikSS 27a6d256f0 Handle HTTP GET and POST in packets larger than --max-payload 
If --max-payload 1200 is used and there's HTTP request with lots of cookies
which exceed 1200 bytes in size, this packet would have been skipped as
'too large', and the circumvention won't be applied.
Fix this by checking for "GET " or "POST" in the beginning of the packet
regardless of its size.
 2022-03-21 15:17:27 +03:00
ValdikSS 938dce7333 Merge branch 'windivert2' 2022-03-21 15:06:15 +03:00
ValdikSS 99c403ca62 GoodbyeDPI v0.2.2 2022-03-21 14:12:36 +03:00
ValdikSS 6ee4101f58 Fix --set-ttl when used with --min-ttl 2022-03-21 14:08:02 +03:00
ValdikSS f94a20d221 Update bug template 2022-03-16 17:07:45 +03:00
Vlad 54f810b6b0
Update README.md 2022-03-14 20:26:29 +03:00
ValdikSS 55a3a94065 Handle "0" in domain names 2022-03-06 00:22:22 +03:00
ValdikSS 8383ecaadf Change argument order for calloc() 2022-02-18 11:05:44 +07:00
ValdikSS 8deacbc438 Allocate (argc + 1) for the service arguments, with calloc 
It was assumed that getopt checks argc count and does not require
null-terminated argv pointer to determine argv end for optional
parameter.
That is wrong.
Add null-terminated latest argv.

Fixes #246
 2022-02-18 02:41:03 +07:00
ValdikSS 1cfd2b1b9f Allow to set --max-payload to zero 2022-01-10 08:32:10 +03:00
ValdikSS 766a8ab4ed Add forgotten default max-payload value in the README 2022-01-07 01:39:57 +03:00
ValdikSS b7190f0e1f Add DANGEROUS notices for ttl modes in readme 2022-01-06 23:43:10 +03:00
ValdikSS 857aeb2366 Add SpoofDPI to similar projects 2022-01-04 22:48:22 +03:00
ValdikSS 871670845f Document forgotten --max-payload in -5 and -6 modes (v0.2.0+) 2022-01-04 15:40:21 +03:00
ValdikSS 68a68aede9 Use WinDivert 2.2.0 for Github Actions building 2022-01-04 15:13:57 +03:00
ValdikSS 4a8f7ac4fb Call WinDivertShutdown on shutdown 2022-01-04 03:14:47 +03:00
ValdikSS ee4ce8893c Initial support for WinDivert 2.0+ 
This patch adds WinDivert 2.0+ support in a backward-incompatible way.
WinDivert 1.4 won't work after this commit anymore.
 2022-01-03 21:23:40 +03:00
ValdikSS 406cf2ca68 GoodbyeDPI v0.2.1 2021-12-30 21:14:23 +03:00
ValdikSS 277b1fb4ef SNI extraction bugfix: add forgotten hyphen as an allowed domain character 
This fixes --allow-no-sni option for domains with hyphen.
 2021-12-30 19:16:43 +03:00
ValdikSS 5494be72ba GoodbyeDPI v0.2.0 2021-12-30 03:46:51 +03:00
ValdikSS 09089e0364 Update readme 2021-12-30 03:45:50 +03:00
ValdikSS c92cd77c51 Ensure the resource file to be compiled before linking 2021-12-30 03:45:20 +03:00
ValdikSS f97a2d04f0 Use --max-payload-size=1200 for -5 and -6 modes. 2021-12-30 03:44:37 +03:00
ValdikSS d7c681d1a2 Add Max Payload Size limit option (`--max-payload-size`) 
This option excludes TCP packets with the data payload larger than
defined value from being copied by WinDivert driver to GoodbyeDPI.

As most of HTTP and TLS ClientHello packets are repatively small,
and file transfers are usually big and are sent/received using
the whole available MTU/MSS, we can just exclude them from
being processed by our userspace program to reduce unnecessary
CPU load.
 2021-12-30 03:41:12 +03:00
ValdikSS ab74ddc425 Update readme 2021-12-29 16:22:43 +03:00
ValdikSS cc1676ad92 --allow-no-sni option. Useful with --blacklist and undetectable SNI. 
This option is added specially for protonmail.com, as it sends
low Window Size in SYN-ACK for requests from Russia, to force
the client to fragment the packet. GoodbyeDPI doesn't do reassembling
and can't extract SNI in this case, thus won't circumvent the
censorship if --blacklist option is used.
 2021-12-29 16:18:56 +03:00
ValdikSS 7f59593a28 Check TLS Handshake ClientHello byte if packet length is enough 2021-12-29 16:14:12 +03:00
ValdikSS 372cc6a45d Properly handle Native Fragmentation packet of bigger or equal size than the fragment size 2021-12-29 16:10:18 +03:00
ValdikSS 46c4f36de8 Add Fake Packet maximum TTL limit to Auto TTL mode 
This patchset adds maximum TTL size of the fake packet to be sent,
to further  improve compatibility with asymmertic routing and
non-standard TTL value set on servers.
 2021-12-29 02:05:39 +03:00
ValdikSS 8911e459d8 Exit when native fragmentation is enabled but http/https values are not set 2021-12-28 23:48:57 +03:00
ValdikSS f4edcf7b4f Small text output enhancements 2021-12-28 23:48:57 +03:00
ValdikSS bb8bafb663 Add Auto TTL range adjustment, introduce min-ttl and use it for --set-ttl as well. 2021-12-28 23:48:57 +03:00
ValdikSS e25d7432de Better Auto TTL adjusting algorithm which honors short distance 
Say you set --auto-ttl to 4.
If the TTL distance to the destination host is too short, say 6, auto-ttl
would decrease it by 4 and send a fake packet with TTL 2, which is too low
for the packet to travel via DPI system.
But if you set --auto-ttl to a lower value such as 2, that may introduce
issues over long lines where outgoing-path TTL and incoming-path TTL may have
difference more than 2 hops due to higher chance of assymetric routing along
the path.

To solve this issue, this commit introduce auto-ttl range of two values.
If the incoming TTL distance is more than autottl2, it is subtracted by
autottl2 value.
If the distance is less than autottl2, the distance value is used as a
normalized weigth of [autottl1; autottl2] scale.

The simplified formula is as follows:

    128 > extracted_ttl > 98: // Server is running Windows
      nhops = 128 - extracted_ttl
    64 > extracted_ttl > 34: // Server is running Linux/FreeBSD/other
      nhops = 64 - extracted_ttl

    if (nhops - autottl2 < autottl2)
        ttl_of_fake_packet = nhops - autottl1 - trunc((autottl2 - autottl1) * ((float)nhops/10));
    else
        ttl_of_fake_packet = nhops - autottl2
 2021-12-28 22:28:55 +03:00
ValdikSS c60dbf7ca7 Remove man-db auto-update for slightly faster installation 2021-12-28 00:31:54 +03:00
ValdikSS b1273c8e10 Update Makefile, add more warning options 2021-12-28 00:31:54 +03:00
ValdikSS 9e98b478df Update readme 2021-12-28 00:31:54 +03:00
ValdikSS 67c226dc7c Fix all types and warnings 2021-12-28 00:31:47 +03:00
ValdikSS 46219e95e7 Update uthash to 2.3.0 2021-12-27 06:58:20 +03:00
ValdikSS 6eec99e874 GoodbyeDPI v0.1.8 2021-12-26 20:29:24 +03:00
ValdikSS b799b33fed Update readme 2021-12-26 20:24:16 +03:00
ValdikSS 76c4658985 Update github issue templates 2021-12-26 20:10:18 +03:00
ValdikSS d61a9f8022 Handle only (default_ttl - 30) range in Auto TTL 2021-12-26 19:05:03 +03:00
ValdikSS fc15088c33 Fix spelling 2021-12-26 18:42:26 +03:00
ValdikSS 1ea70f9bc9 Do not print "Error receiving packet!" upon exiting 2021-12-26 18:39:44 +03:00
ValdikSS ed42c5d627 Fix all the warnings and notes 2021-12-26 17:45:37 +03:00
ValdikSS a79377f606 Github Actions: rebuild only on src directory changes 2021-12-26 15:12:13 +03:00
ValdikSS db37b4f1f2 Add Github Actions build script 2021-12-26 15:03:35 +03:00
ValdikSS 9fcf097cb7 Use Auto TTL = 4 by default 
Previous value of 2 caused issues with the services connected via
very different uplink/downlink routing links.
 2021-12-25 20:43:56 +03:00
ValdikSS e1e09f9103 Add safekeeping TTL value for Auto TTL 2021-12-25 13:56:57 +03:00
ValdikSS a5c2f9fac9 Introduce -5 and -6 modes and make -5 default 
Modern modesets (more stable, more compatible, faster):
 -5          -f 2 -e 2 --auto-ttl --reverse-frag (this is the default now)
 -6          -f 2 -e 2 --wrong-seq --reverse-frag
 2021-12-25 13:56:57 +03:00
ValdikSS 11c322aaed Show fragmentation value issues only when Window Size is used 2021-12-25 13:07:39 +03:00
ValdikSS 88d4a60cdf Merge branch 'badseq_for_master' into master 2021-12-25 12:30:08 +03:00
ValdikSS b45b463d51 Update readme 2021-12-25 12:24:25 +03:00
ValdikSS 80fcd9c5cf Replace required/optional brackets in the readme 2021-12-25 12:24:25 +03:00
ValdikSS 21ff80b43c Automatic TTL value picker for --set-ttl Fake Packet mode 
This is a per-connection (per-destination) automatic TTL adjusting feature.
Basically a --set-ttl mode where you don't need to set specific TTL value.

It works as follows:
 1. All incoming SYN/ACKs (the response to client's SYN) are intercepted
 2. TTL value is extracted from SYN/ACK
 3. New TTL is calculated with the simple formula:
    128 > extracted_ttl > 64: // Server is running Windows
      fakepacket_ttl = 128 - extracted_ttl - decrement
    64 > extracted_ttl > 34: // Server is running Linux/FreeBSD/other
      fakepacket_ttl = 64 - extracted_ttl - decrement
 4. Fake packet is sent

To comply with the multi-path multi-hop server connections
where 1 hop dispersion is not rare, decrement should be at least of
value "2", which is the default.

The patch does not process "too strange" TTL values (bigger than 128,
less than 34).
 2021-12-25 12:24:25 +03:00
ValdikSS bbb6af89fe New Fake Packet circumvention method: wrong SEQ/ACK numbers 
This method sends Fake Packet with the TCP SEQ/ACK numbers "in the past":
-66000 is used for ACK (right out of the ACK permissive window in Linux stack),
-10000 is used for SEQ (without any reasoning).

This method is pretty effective in Russia.
It also could be handy in a networks which prohibit changing TTL values
(mobile networks with tethering block/premium feature).
 2021-12-25 11:55:26 +03:00
ValdikSS b57a204d96 Apply each Fake Packet method to each packet separately 
Before: --set-ttl and --wrong-chksum generated single Fake Packet with both low TTL and incorrect checksum.
Now:    --set-ttl and --wrong-chksum generate two packets: one with low TTL, another with incorrect checksum.
 2021-12-25 10:49:26 +03:00
ValdikSS 3899a719c1 Update Makefile, make fortify work on modern mingw compilers 2021-12-25 10:24:43 +03:00
ValdikSS b9682ac222 Print parsed hostnames in DEBUG mode 2021-12-25 10:24:43 +03:00
ValdikSS 35c6e401db Handle TLS SNI in blacklist option 
Now blacklist applies not only to HTTP websites, but also to HTTPS.

Fixes #213
 2021-12-25 10:23:43 +03:00
ValdikSS cf7d1c69e0 Add TLS Server Name Indication (SNI) extractor 2021-12-25 10:09:37 +03:00
ValdikSS 5b79d8e8ba Update Makefile, make fortify work on modern mingw compilers 2021-12-25 01:50:34 +03:00
19 changed files with 1130 additions and 409 deletions
Show Stats Expand all files Collapse all files

45
.github/ISSUE_TEMPLATE/bug-report----------------------.md vendored
View File

@ -1,45 +0,0 @@
---
name: Bug report / сообщение об ошибке
about: Report software issue / сообщить об ошибке в программе
title: ''
labels: ''
assignees: ''
---
<!--
WARNING! Please pay some attention!
GoodbyeDPI does not guarantee to work on your ISP on 100% or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it.
Please report software bugs, such as: website incompatibility (if the website works without GoodbyeDPI but breaks with GoobyeDPI enabled), antivirus incompatibility, DNS redirection problems, incorrect packet handling, and other software issues.
Please make sure to check other opened and closed issues, it could be your question or issue has been already discussed.
ВНИМАНИЕ! Пожалуйста, прочтите!
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу вообще. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
Сообщайте только об ошибках в программе, таких как: некорректная работа с веб-сайтами (когда веб-сайт работает без GoodbyeDPI, но ломается с GoodbyeDPI), несовместимость с антивирусами, проблемы с перенаправлением DNS, некорректная обработка пакетов, и другие проблемы.
Также посмотрите другие открытые и закрытые баги. Возможно, ваш вопрос или проблема уже обсуждались.
-->
**Describe the bug / Опишите проблему**
A clear and concise description of what the bug is. If the issue about software incompatibility, include your operating system version and software name/version.
Подробно опишите, в чём заключается проблема. Если проблема касается совместимости с другими программами, укажите версию вашей операционной системы, имя и версию программы.
**To Reproduce / Шаги воспроизведения проблемы**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior / ожидаемое поведение программы**
A clear and concise description of what you expected to happen.
Подробно опишите, как вы ожидаете, чтобы программа работала.
**Actual behavior / текущее поведение программы**
A clear and concise description of what you expected to happen.
Подробно опишите, что происходит с программой на текущий момент.
**Screenshots / Скриншоты**
If applicable, add screenshots to help explain your problem.
Если необходимо, добавьте скриншоты, объясняющие проблему.
**Additional context / дополнительная информация**

63
.github/ISSUE_TEMPLATE/bug.yml vendored Normal file
View File

@ -0,0 +1,63 @@
name: Bug Report / Сообщение об ошибке
description: File a bug report / Сообщить об ошибке в программе
body:
- type: markdown
attributes:
value: |
### USE THIS FORM ONLY FOR BUGS! The webside does not open? That's likely NOT a bug, do not report it here!
GoodbyeDPI does not guarantee to work with your ISP for every blocked website or at all. If GoodbyeDPI can't unblock some or any websites, this is most likely not a software bug, and you should not report it here.
Please only report software bugs, such as:
* program crash
* incorrect network packet handling
* antivirus incompatibility
* DNS redirection problems
* other software
Please make sure to check other opened and closed issues, it could be your bug has been reported already.
For questions, or if in doubt, [use NTC.party forum](https://ntc.party/c/community-software/goodbyedpi).
### ИСПОЛЬЗУЙТЕ ЭТУ ФОРМУ ТОЛЬКО ДЛЯ БАГОВ! Веб-сайт не открывается? Это, скорее всего, не баг, не сообщайте сюда!
GoodbyeDPI не гарантирует ни 100% работу с вашим провайдером, ни работу с каждым заблокированным сайтом. Если GoodbyeDPI не разблокирует доступ к некоторым или всем веб-сайтам, вероятнее всего, это не программная ошибка, и не стоит о ней сообщать здесь.
Пожалуйста, сообщайте только об ошибках в программе, таких как:
* падение программы
* некорректная обработка сетевых пакетов
* несовместимость с антивирусами
* проблемы с перенаправлением DNS
* другие ошибки в программе
Также посмотрите другие открытые и закрытые баги. Возможно, ошибка уже обсуждалась или исправлена.
Для вопросов, а также в случае сомнений в определении бага, обращайтесь [на форум NTC.party](https://ntc.party/c/community-software/goodbyedpi).
- type: input
id: os
attributes:
label: Operating system / операционная система
description: Enter your Windows version. For Windows 10 and 11 include build/update number.
placeholder: ex. Windows 10 20H2
validations:
required: true
- type: dropdown
id: is-svc
attributes:
label: Running as service / Запуск программы как сервис
description: Do you use GoodbyeDPI as a Windows Service?
options:
- I run it as a regular program / Запускаю программу обычным образом
- I installed it as a service / Установил как сервис Windows
validations:
required: true
- type: textarea
id: what-happened
attributes:
label: Describe the bug / Опишите ошибку программы
description: A clear and concise description of what the bug is / Подробно опишите, в чём заключается ошибка
placeholder: Attach the screenshots for clarity / При необходимости приложите скриншоты
validations:
required: true
- type: textarea
id: additional-info
attributes:
label: Additional information / Дополнительная информация
description: If you have a hints on why this bug happens, you can express it here / Если у вас есть предположения об источнике бага, вы можете изложить их здесь

5
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: Questions about the program / Вопросы по програме
url: https://ntc.party/c/community-software/goodbyedpi/8
about: Please ask and answer questions on forum / Пожалуйста, задавайте вопросы только на форуме

12
.github/ISSUE_TEMPLATE/feature-request------------------------------------.md vendored
View File

@ -1,12 +0,0 @@
---
name: Feature request / предложить новую функциональность
about: Suggest an idea or function for this project / предложить новую идею или функциональность
title: ''
labels: ''
assignees: ''
---
**Description / Описание**
A clear and concise description of your suggestion.
Детальное описание вашего предложения.

15
.github/ISSUE_TEMPLATE/feature.yml vendored Normal file
View File

@ -0,0 +1,15 @@
name: Feature request / Предложить новую функциональность
description: Suggest an idea or function for this project / Предложить новую идею или функциональность в программе
body:
- type: markdown
attributes:
value: |
If you think of a great function or circumvention method which is missing from the program, go ahead and suggest it here.
Если вы придумали новую функцию или метод обхода, которого еще нет в программе, напишите о нем подробнее здесь.
- type: textarea
id: description
attributes:
label: Describe your feature / Опишите ваше предложение
validations:
required: true

78
.github/workflows/build.yml vendored Normal file
View File

@ -0,0 +1,78 @@
name: Build GoodbyeDPI
on:
push:
paths:
- 'src/**'
workflow_dispatch:
env:
WINDIVERT_URL: https://reqrypt.org/download/WinDivert-2.2.0-D.zip
WINDIVERT_NAME: WinDivert-2.2.0-D.zip
WINDIVERT_BASENAME: WinDivert-2.2.0-D
WINDIVERT_SHA256: 1d461cfdfa7ba88ebcfbb3603b71b703e9f72aba8aeff99a75ce293e6f89d2ba
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Declare short commit variable
id: vars
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Install MinGW-w64
run: >
sudo rm /var/lib/man-db/auto-update &&
sudo DEBIAN_FRONTEND=noninteractive XZ_DEFAULTS="-T0" XZ_OPT="-T0" eatmydata
apt install -y --no-install-recommends gcc-mingw-w64
- name: Download WinDivert from cache
id: windivert-cache
uses: actions/cache@v4
with:
path: ${{ env. WINDIVERT_NAME }}
key: ${{ env. WINDIVERT_SHA256 }}
- name: Download WinDivert from the website
if: steps.windivert-cache.outputs.cache-hit != 'true'
run: >
wget ${{ env. WINDIVERT_URL }} &&
(echo ${{ env. WINDIVERT_SHA256 }} ${{ env. WINDIVERT_NAME }} | sha256sum -c)
- name: Unpack WinDivert
run: unzip ${{ env. WINDIVERT_NAME }}
- name: Compile x86_64
run: >
cd src && make clean &&
make CPREFIX=x86_64-w64-mingw32- BIT64=1 WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x64 -j4
- name: Prepare x86_64 directory
run: |
mkdir goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x64/*.{dll,sys} goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86_64
uses: actions/upload-artifact@v4
with:
name: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_64_${{ steps.vars.outputs.sha_short }}
- name: Compile i686
run: >
cd src && make clean &&
make CPREFIX=i686-w64-mingw32- WINDIVERTHEADERS=../${{ env.WINDIVERT_BASENAME }}/include WINDIVERTLIBS=../${{ env.WINDIVERT_BASENAME }}/x86 -j4
- name: Prepare x86 directory
run: |
mkdir goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
cp src/goodbyedpi.exe ${{ env.WINDIVERT_BASENAME }}/x86/*.{dll,sys} goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
- name: Upload output file x86
uses: actions/upload-artifact@v4
with:
name: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}
path: goodbyedpi_x86_${{ steps.vars.outputs.sha_short }}

93
README.md
View File

@ -1,11 +1,19 @@
GoodbyeDPI — Passive Deep Packet Inspection blocker and Active DPI circumvention utility
GoodbyeDPI — Deep Packet Inspection circumvention utility
=========================
This software designed to bypass Deep Packet Inspection systems found in many Internet Service Providers which block access to certain websites.
It handles DPI connected using optical splitter or port mirroring (**Passive DPI**) which do not block any data but just replying faster than requested destination, and **Active DPI** connected in sequence.
**Windows 7, 8, 8.1 and 10** with administrator privileges required.
**Windows 7, 8, 8.1, 10 or 11** with administrator privileges required.
# Quick start
* **For Russia**: Download [latest version from Releases page](https://github.com/ValdikSS/GoodbyeDPI/releases), unpack the file and run **1_russia_blacklist_dnsredir.cmd** script.
* For other countries: Download [latest version from Releases page](https://github.com/ValdikSS/GoodbyeDPI/releases), unpack the file and run **2_any_country_dnsredir.cmd**.
These scripts launch GoodbyeDPI in recommended mode with DNS resolver redirection to Yandex DNS on non-standard port (to prevent DNS poisoning).
If it works — congratulations! You can use it as-is or configure further.
# How to use
@ -17,46 +25,72 @@ Usage: goodbyedpi.exe [OPTION...]
-r replace Host with hoSt
-s remove space between host header and its value
-m mix Host header case (test.com -> tEsT.cOm)
-f [value] set HTTP fragmentation to value
-k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value
-f <value> set HTTP fragmentation to value
-k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value
-n do not wait for first segment ACK when -k is enabled
-e [value] set HTTPS fragmentation to value
-e <value> set HTTPS fragmentation to value
-a additional space between Method and Request-URI (enables -s, may break sites)
-w try to find and parse HTTP traffic on all processed ports (not only on port 80)
--port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
--port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)
--ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).
This option can be supplied multiple times.
--dns-addr [value] redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port [value] redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-addr <value> redirect UDP DNS requests to the supplied IP address (experimental)
--dns-port <value> redirect UDP DNS requests to the supplied port (53 by default)
--dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)
--dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)
--dns-verb print verbose DNS redirection messages
--blacklist [txtfile] perform HTTP tricks only to host names and subdomains from
supplied text file. This option can be supplied multiple times.
--set-ttl [value] activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care.
--blacklist <txtfile> perform circumvention tricks only to host names and subdomains from
supplied text file (HTTP Host/TLS SNI).
This option can be supplied multiple times.
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
--frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease
it based on a distance. If the distance is shorter than a2, TTL is decreased
by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.
If the resulting TTL is more than m(ax), set it to m.
Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.
DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).
--min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request
in --set-ttl and --auto-ttl modes.
--wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.
May not work in a VM or with some routers, but is safer than set-ttl.
--wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.
--native-frag fragment (split) the packets by sending them in smaller packets, without
shrinking the Window Size. Works faster (does not slow down the connection)
and better.
--reverse-frag fragment (split) the packets just as --native-frag, but send them in the
reversed order. Works with the websites which could not handle segmented
HTTPS TLS ClientHello (because they receive the TCP flow "combined").
--max-payload [value] packets with TCP payload data more than [value] won't be processed.
Use this option to reduce CPU usage by skipping huge amount of data
(like file transfers) in already established sessions.
May skip some huge HTTP requests from being processed.
Default (if set): --max-payload 1200.
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)
LEGACY modesets:
-1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)
-2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)
-3 -p -r -s -e 40 (better speed for HTTP and HTTPS)
-4 -p -r -s (best speed)
Modern modesets (more stable, more compatible, faster):
-5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)
-6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload
```
To check if your ISP's DPI could be circumvented, run `3_all_dnsredir_hardcore.cmd` first. This is the most hardcore mode which will show if this program is suitable for your ISP and DPI vendor at all. If you can open blocked websites with this mode, it means your ISP has DPI which can be circumvented. This is the slowest and prone to break websites mode, but suitable for most DPI.
To check if your ISP's DPI could be circumvented, first make sure that your provider does not poison DNS answers by enabling "Secure DNS (DNS over HTTPS)" option in your browser.
Try `goodbyedpi -1` to see if it works too.
* **Chrome**: Settings → [Privacy and security](chrome://settings/security) → Use secure DNS → With: NextDNS
* **Firefox**: [Settings](about:preferences) → Network Settings → Enable DNS over HTTPS → Use provider: NextDNS
Then try `goodbyedpi.exe -2`. It should be faster for HTTPS sites. Mode `-3` speed ups HTTP websites.
Then run the `goodbyedpi.exe` executable without any options. If it works — congratulations! You can use it as-is or configure further, for example by using `--blacklist` option if the list of blocked websites is known and available for your country.
Use `goodbyedpi.exe -4` if it works for your ISP's DPI. This is the fastest mode but not compatible with every DPI.
If your provider intercepts DNS requests, you may want to use `--dns-addr` option to a public DNS resolver running on non-standard port (such as Yandex DNS `77.88.8.8:1253`) or configure DNS over HTTPS/TLS using third-party applications.
Check the .cmd scripts and modify it according to your preference and network conditions.
# How does it work
@ -74,7 +108,7 @@ Active DPI is more tricky to fool. Currently the software uses 7 methods to circ
* Removing space between header name and value in `Host` header
* Adding additional space between HTTP Method (GET, POST etc) and URI
* Mixing case of Host header value
* Sending fake HTTP/HTTPS packets with low Time-To-Live value or incorrect checksum to fool DPI and prevent delivering them to the destination
* Sending fake HTTP/HTTPS packets with low Time-To-Live value, incorrect checksum or incorrect TCP Sequence/Acknowledgement numbers to fool DPI and prevent delivering them to the destination
These methods should not break any website as they're fully compatible with TCP and HTTP standards, yet it's sufficient to prevent DPI data classification and to circumvent censorship. Additional space may break some websites, although it's acceptable by HTTP/1.1 specification (see 19.3 Tolerant Applications).
@ -94,7 +128,8 @@ And for x86_64:
# How to install as Windows Service
Use `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Check examples in `service_install_russia_blacklist.cmd`, `service_install_russia_blacklist_dnsredir.cmd` and `service_remove.cmd` scripts.
Modify them according to your own needs.
# Known issues
@ -106,11 +141,15 @@ Modify them according to your own needs.
# Similar projects
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for Linux).
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows).
- **[DPITunnel](https://github.com/zhenyolka/DPITunnel)** by @zhenyolka (for Android).
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux).
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android).
- **[zapret](https://github.com/bol-van/zapret)** by @bol-van (for MacOS, Linux and Windows)
- **[Green Tunnel](https://github.com/SadeghHayeri/GreenTunnel)** by @SadeghHayeri (for MacOS, Linux and Windows)
- **[DPI Tunnel CLI](https://github.com/zhenyolka/DPITunnel-cli)** by @zhenyolka (for Linux and routers)
- **[DPI Tunnel for Android](https://github.com/zhenyolka/DPITunnel-android)** by @zhenyolka (for Android)
- **[PowerTunnel](https://github.com/krlvm/PowerTunnel)** by @krlvm (for Windows, MacOS and Linux)
- **[PowerTunnel for Android](https://github.com/krlvm/PowerTunnel-Android)** by @krlvm (for Android)
- **[SpoofDPI](https://github.com/xvzc/SpoofDPI)** by @xvzc (for macOS and Linux)
- **[GhosTCP](https://github.com/macronut/ghostcp)** by @macronut (for Windows)
- **[ByeDPI](https://github.com/hufrea/byedpi)** for Linux/Windows + **[ByeDPIAndroid](https://github.com/dovecoteescapee/ByeDPIAndroid/)** for Android (no root)
# Kudos

24
src/Makefile
View File

@ -9,26 +9,36 @@ MINGWLIB = /usr/x86_64-w64-mingw32/lib/
TARGET = goodbyedpi.exe
# Linking SSP does not work for some reason, the executable doesn't start.
#LIBS = -L$(WINDIVERTLIBS) -Wl,-Bstatic -lssp -Wl,-Bdynamic -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32
LIBS = -L$(WINDIVERTLIBS) -lWinDivert -lws2_32 -l:libssp.a
CC = $(CPREFIX)gcc
CCWINDRES = $(CPREFIX)windres
ifeq (, $(shell which $(CPREFIX)windres))
CCWINDRES = windres
endif
CFLAGS = -std=c99 -pie -fPIE -pipe -I$(WINDIVERTHEADERS) -L$(WINDIVERTLIBS) \
-O2 -D_FORTIFY_SOURCE=2 \
-Wall -Wextra -Wpedantic -Wformat=2 -Wshadow -Wstrict-aliasing=1 -Werror=format-security \
-O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
-Wall -Wextra -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 \
-Wformat-security -Wno-format-nonliteral -Wshadow -Wstrict-aliasing=1 \
-Wnull-dereference -Warray-bounds=2 -Wimplicit-fallthrough=3 \
-Wstringop-overflow=4 \
-Wformat-signedness -Wstrict-overflow=2 -Wcast-align=strict \
-Wfloat-equal -Wcast-align -Wsign-conversion \
#-fstack-protector-strong
LDFLAGS = -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
LDFLAGS = -fstack-protector -Wl,-O1,-pie,--dynamicbase,--nxcompat,--sort-common,--as-needed \
-Wl,--image-base,0x140000000 -Wl,--disable-auto-image-base
ifdef BIT64
LDFLAGS += -Wl,--high-entropy-va -Wl,--pic-executable,-e,mainCRTStartup
else
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup
CFLAGS += -m32
LDFLAGS += -Wl,--pic-executable,-e,_mainCRTStartup -m32
endif
.PHONY: default all clean
default: manifest $(TARGET)
default: $(TARGET)
all: default
OBJECTS = $(patsubst %.c, %.o, $(wildcard *.c utils/*.c)) goodbyedpi-rc.o
@ -37,7 +47,7 @@ HEADERS = $(wildcard *.h utils/*.h)
%.o: %.c $(HEADERS)
$(CC) $(CFLAGS) -c $< -o $@
manifest:
goodbyedpi-rc.o:
$(CCWINDRES) goodbyedpi-rc.rc goodbyedpi-rc.o
.PRECIOUS: $(TARGET) $(OBJECTS)

14
src/blackwhitelist.c
View File

@ -35,14 +35,11 @@ static int add_hostname(const char *host) {
if (!host)
return FALSE;
int host_len = strlen(host);
blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t));
char *host_c = malloc(host_len + 1);
char *host_c = NULL;
if (!check_get_hostname(host)) {
strncpy(host_c, host, host_len);
host_c[host_len] = '\0';
host_c = strdup(host);
tmp_record->host = host_c;
HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host,
strlen(tmp_record->host), tmp_record);
@ -51,7 +48,8 @@ static int add_hostname(const char *host) {
}
debug("Not added host %s\n", host);
free(tmp_record);
free(host_c);
if (host_c)
free(host_c);
return FALSE;
}
@ -72,8 +70,10 @@ int blackwhitelist_load_list(const char *filename) {
line);
continue;
}
if (strlen(line) < 4)
if (strlen(line) < 3) {
printf("WARNING: host %s is less than 3 bytes, skipping\n", line);
continue;
}
if (add_hostname(line))
cnt++;
}

4
src/dnsredir.c
View File

@ -44,7 +44,7 @@ static time_t last_cleanup = 0;
static udp_connrecord_t *conntrack = NULL;
void flush_dns_cache() {
BOOL WINAPI (*DnsFlushResolverCache)();
INT_PTR WINAPI (*DnsFlushResolverCache)();
HMODULE dnsapi = LoadLibrary("dnsapi.dll");
if (dnsapi == NULL)
@ -53,7 +53,7 @@ void flush_dns_cache() {
exit(EXIT_FAILURE);
}
DnsFlushResolverCache = (void*)GetProcAddress(dnsapi, "DnsFlushResolverCache");
DnsFlushResolverCache = GetProcAddress(dnsapi, "DnsFlushResolverCache");
if (DnsFlushResolverCache == NULL || !DnsFlushResolverCache())
printf("Can't flush DNS cache!");
FreeLibrary(dnsapi);

3
src/dnsredir.h
View File

@ -1,3 +1,5 @@
#ifndef _DNSREDIR_H
#define _DNSREDIR_H
#include <stdint.h>
typedef struct conntrack_info {
@ -34,3 +36,4 @@ int dns_handle_outgoing(const uint32_t srcip[4], const uint16_t srcport,
void flush_dns_cache();
int dns_is_dns_packet(const char *packet_data, const UINT packet_dataLen, const int outgoing);
#endif

93
src/fakepackets.c
View File

@ -7,9 +7,9 @@
#include "windivert.h"
#include "goodbyedpi.h"
static const char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
static const unsigned char fake_http_request[] = "GET / HTTP/1.1\r\nHost: www.w3.org\r\n"
"User-Agent: curl/7.65.3\r\nAccept: */*\r\n"
"Accept-Encoding: deflate, gzip, br\r\n\r\n";
static const unsigned char fake_https_request[] = {
0x16, 0x03, 0x01, 0x02, 0x00, 0x01, 0x00, 0x01, 0xfc, 0x03, 0x03, 0x9a, 0x8f, 0xa7, 0x6a, 0x5d,
0x57, 0xf3, 0x62, 0x19, 0xbe, 0x46, 0x82, 0x45, 0xe2, 0x59, 0x5c, 0xb4, 0x48, 0x31, 0x12, 0x15,
@ -53,7 +53,8 @@ static int send_fake_data(const HANDLE w_filter,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum
const BYTE set_checksum,
const BYTE set_seq
) {
char packet_fake[MAX_PACKET_SIZE];
WINDIVERT_ADDRESS addr_new;
@ -63,22 +64,27 @@ static int send_fake_data(const HANDLE w_filter,
PWINDIVERT_IPHDR ppIpHdr;
PWINDIVERT_IPV6HDR ppIpV6Hdr;
PWINDIVERT_TCPHDR ppTcpHdr;
char *fake_request_data = is_https ? fake_https_request : fake_http_request;
unsigned const char *fake_request_data = is_https ? fake_https_request : fake_http_request;
UINT fake_request_size = is_https ? sizeof(fake_https_request) : sizeof(fake_http_request) - 1;
memcpy(&addr_new, addr, sizeof(WINDIVERT_ADDRESS));
memcpy(packet_fake, pkt, packetLen);
addr_new.TCPChecksum = 0;
addr_new.IPChecksum = 0;
if (!is_ipv6) {
// IPv4 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
NULL, NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen,
NULL, NULL))
return 1;
}
else {
// IPv6 TCP Data packet
if (!WinDivertHelperParsePacket(packet_fake, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen))
&ppIpV6Hdr, NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen,
NULL, NULL))
return 1;
}
@ -107,43 +113,73 @@ static int send_fake_data(const HANDLE w_filter,
ppIpV6Hdr->HopLimit = set_ttl;
}
if (set_seq) {
// This is the smallest ACK drift Linux can't handle already, since at least v2.6.18.
// https://github.com/torvalds/linux/blob/v2.6.18/net/netfilter/nf_conntrack_proto_tcp.c#L395
ppTcpHdr->AckNum = htonl(ntohl(ppTcpHdr->AckNum) - 66000);
// This is just random, no specifics about this value.
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) - 10000);
}
// Recalculate the checksum
addr_new.PseudoTCPChecksum = 0;
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, NULL);
WinDivertHelperCalcChecksums(packet_fake, packetLen_new, &addr_new, 0ULL);
if (set_checksum) {
// ...and damage it
ppTcpHdr->Checksum = htons(ntohs(ppTcpHdr->Checksum) - 1);
}
//printf("Pseudo checksum: %d\n", addr_new.PseudoTCPChecksum);
//printf("Pseudo checksum: %d\n", addr_new.TCPChecksum);
WinDivertSend(
w_filter, packet_fake,
packetLen_new,
&addr_new, NULL
NULL, &addr_new
);
debug("Fake packet: OK");
return 0;
}
static int send_fake_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BOOL is_https,
const BYTE set_ttl,
const BYTE set_checksum,
const BYTE set_seq
) {
if (set_ttl) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
set_ttl, FALSE, FALSE);
}
if (set_checksum) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, set_checksum, FALSE);
}
if (set_seq) {
send_fake_data(w_filter, addr, pkt, packetLen,
is_ipv6, is_https,
FALSE, FALSE, set_seq);
}
return 0;
}
int send_fake_http_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
const char *pkt,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_data(w_filter,
addr,
pkt,
packetLen,
is_ipv6,
FALSE,
set_ttl,
set_checksum
);
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, FALSE,
set_ttl, set_checksum, set_seq);
}
int send_fake_https_request(const HANDLE w_filter,
@ -152,15 +188,10 @@ int send_fake_https_request(const HANDLE w_filter,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum
const BYTE set_checksum,
const BYTE set_seq
) {
return send_fake_data(w_filter,
addr,
pkt,
packetLen,
is_ipv6,
TRUE,
set_ttl,
set_checksum
);
return send_fake_request(w_filter, addr, pkt, packetLen,
is_ipv6, TRUE,
set_ttl, set_checksum, set_seq);
}

6
src/fakepackets.h
View File

@ -4,7 +4,8 @@ int send_fake_http_request(const HANDLE w_filter,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum
const BYTE set_checksum,
const BYTE set_seq
);
int send_fake_https_request(const HANDLE w_filter,
const PWINDIVERT_ADDRESS addr,
@ -12,5 +13,6 @@ int send_fake_https_request(const HANDLE w_filter,
const UINT packetLen,
const BOOL is_ipv6,
const BYTE set_ttl,
const BYTE set_checksum
const BYTE set_checksum,
const BYTE set_seq
);

615
src/goodbyedpi.c
View File

@ -16,13 +16,14 @@
#include "utils/repl_str.h"
#include "service.h"
#include "dnsredir.h"
#include "ttltrack.h"
#include "blackwhitelist.h"
#include "fakepackets.h"
// My mingw installation does not load inet_pton definition for some reason
WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pAddr);
#define GOODBYEDPI_VERSION "v0.1.7"
#define GOODBYEDPI_VERSION "v0.2.2"
#define die() do { sleep(20); exit(EXIT_FAILURE); } while (0)
@ -60,8 +61,9 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
/* #IPID# is a template to find&replace */
#define IPID_TEMPLATE "#IPID#"
#define MAXPAYLOADSIZE_TEMPLATE "#MAXPAYLOADSIZE#"
#define FILTER_STRING_TEMPLATE \
"(tcp and !impostor and !loopback and " \
"(tcp and !impostor and !loopback " MAXPAYLOADSIZE_TEMPLATE " and " \
"((inbound and (" \
"(" \
"(" \
@ -88,13 +90,50 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
} \
else if (http_fragment_size != (unsigned int)fragment_size) { \
printf( \
"WARNING: HTTP fragment size is already set to %d, not changing.\n", \
"WARNING: HTTP fragment size is already set to %u, not changing.\n", \
http_fragment_size \
); \
} \
} while (0)
#define TCP_HANDLE_OUTGOING_TTL_PARSE_PACKET_IF() \
if ((packet_v4 && tcp_handle_outgoing(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr, \
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
&tcp_conn_info, 0)) \
|| \
(packet_v6 && tcp_handle_outgoing(ppIpV6Hdr->SrcAddr, ppIpV6Hdr->DstAddr, \
ppTcpHdr->SrcPort, ppTcpHdr->DstPort, \
&tcp_conn_info, 1)))
#define TCP_HANDLE_OUTGOING_FAKE_PACKET(func) do { \
should_send_fake = 1; \
if (do_auto_ttl || ttl_min_nhops) { \
TCP_HANDLE_OUTGOING_TTL_PARSE_PACKET_IF() { \
if (do_auto_ttl) { \
/* If Auto TTL mode */ \
ttl_of_fake_packet = tcp_get_auto_ttl(tcp_conn_info.ttl, auto_ttl_1, auto_ttl_2, \
ttl_min_nhops, auto_ttl_max); \
if (do_tcp_verb) { \
printf("Connection TTL = %d, Fake TTL = %d\n", tcp_conn_info.ttl, ttl_of_fake_packet); \
} \
} \
else if (ttl_min_nhops) { \
/* If not Auto TTL mode but --min-ttl is set */ \
if (!tcp_get_auto_ttl(tcp_conn_info.ttl, 0, 0, ttl_min_nhops, 0)) { \
/* Send only if nhops >= min_ttl */ \
should_send_fake = 0; \
} \
} \
} \
} \
if (should_send_fake) \
func(w_filter, &addr, packet, packetLen, packet_v6, \
ttl_of_fake_packet, do_wrong_chksum, do_wrong_seq); \
} while (0)
static int running_from_service = 0;
static int exiting = 0;
static HANDLE filters[MAX_FILTERS];
static int filter_num = 0;
static const char http10_redirect_302[] = "HTTP/1.0 302 ";
@ -122,11 +161,17 @@ static struct option long_options[] = {
{"dnsv6-port", required_argument, 0, '@' },
{"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' },
{"allow-no-sni",no_argument, 0, ']' },
{"frag-by-sni", no_argument, 0, '>' },
{"ip-id", required_argument, 0, 'i' },
{"set-ttl", required_argument, 0, '$' },
{"min-ttl", required_argument, 0, '[' },
{"auto-ttl", optional_argument, 0, '+' },
{"wrong-chksum",no_argument, 0, '%' },
{"wrong-seq", no_argument, 0, ')' },
{"native-frag", no_argument, 0, '*' },
{"reverse-frag",no_argument, 0, '(' },
{"max-payload", optional_argument, 0, '|' },
{0, 0, 0, 0 }
};
@ -136,7 +181,7 @@ static char *filter_passive_string = NULL;
static void add_filter_str(int proto, int port) {
const char *udp = " or (udp and !impostor and !loopback and " \
"(udp.SrcPort == %d or udp.DstPort == %d))";
const char *tcp = " or (tcp and !impostor and !loopback and " \
const char *tcp = " or (tcp and !impostor and !loopback " MAXPAYLOADSIZE_TEMPLATE " and " \
"(tcp.SrcPort == %d or tcp.DstPort == %d))";
char *current_filter = filter_string;
@ -146,9 +191,9 @@ static void add_filter_str(int proto, int port) {
strcpy(new_filter, current_filter);
if (proto == IPPROTO_UDP)
sprintf(&(new_filter[strlen(new_filter)]), udp, port, port);
sprintf(new_filter + strlen(new_filter), udp, port, port);
else
sprintf(&(new_filter[strlen(new_filter)]), tcp, port, port);
sprintf(new_filter + strlen(new_filter), tcp, port, port);
filter_string = new_filter;
free(current_filter);
@ -170,12 +215,27 @@ static void add_ip_id_str(int id) {
filter_passive_string = newstr;
}
static void finalize_filter_strings() {
static void add_maxpayloadsize_str(unsigned short maxpayload) {
char *newstr;
/* 0x47455420 is "GET ", 0x504F5354 is "POST", big endian. */
const char *maxpayloadsize_str = "and (tcp.PayloadLength ? tcp.PayloadLength < %hu or tcp.Payload32[0] == 0x47455420 or tcp.Payload32[0] == 0x504F5354 : true)";
char *addfilter = malloc(strlen(maxpayloadsize_str) + 16);
newstr = repl_str(filter_string, IPID_TEMPLATE, "");
sprintf(addfilter, maxpayloadsize_str, maxpayload);
newstr = repl_str(filter_string, MAXPAYLOADSIZE_TEMPLATE, addfilter);
free(filter_string);
filter_string = newstr;
}
static void finalize_filter_strings() {
char *newstr, *newstr2;
newstr2 = repl_str(filter_string, IPID_TEMPLATE, "");
newstr = repl_str(newstr2, MAXPAYLOADSIZE_TEMPLATE, "");
free(filter_string);
free(newstr2);
filter_string = newstr;
newstr = repl_str(filter_passive_string, IPID_TEMPLATE, "");
free(filter_passive_string);
@ -183,7 +243,7 @@ static void finalize_filter_strings() {
}
static char* dumb_memmem(const char* haystack, unsigned int hlen,
const char* needle, size_t nlen)
const char* needle, unsigned int nlen)
{
// naive implementation
if (nlen > hlen) return NULL;
@ -251,6 +311,7 @@ static HANDLE init(char *filter, UINT64 flags) {
static int deinit(HANDLE handle) {
if (handle) {
WinDivertShutdown(handle, WINDIVERT_SHUTDOWN_BOTH);
WinDivertClose(handle);
return TRUE;
}
@ -264,6 +325,7 @@ void deinit_all() {
}
static void sigint_handler(int sig __attribute__((unused))) {
exiting = 1;
deinit_all();
exit(EXIT_SUCCESS);
}
@ -308,24 +370,70 @@ static int find_header_and_get_info(const char *pktdata, unsigned int pktlen,
hdr_begin = dumb_memmem(pktdata, pktlen,
hdrname, strlen(hdrname));
if (!hdr_begin) return FALSE;
if ((PVOID)pktdata > (PVOID)hdr_begin) return FALSE;
if (pktdata > hdr_begin) return FALSE;
/* Set header address */
*hdrnameaddr = hdr_begin;
*hdrvalueaddr = (PVOID)hdr_begin + strlen(hdrname);
*hdrvalueaddr = hdr_begin + strlen(hdrname);
/* Search for header end (\r\n) */
data_addr_rn = dumb_memmem(*hdrvalueaddr,
pktlen - ((PVOID)*hdrvalueaddr - (PVOID)pktdata),
pktlen - (uintptr_t)(*hdrvalueaddr - pktdata),
"\r\n", 2);
if (data_addr_rn) {
*hdrvaluelen = (PVOID)data_addr_rn - (PVOID)*hdrvalueaddr;
if (*hdrvaluelen > 0u && *hdrvaluelen <= 512u)
*hdrvaluelen = (uintptr_t)(data_addr_rn - *hdrvalueaddr);
if (*hdrvaluelen >= 3 && *hdrvaluelen <= HOST_MAXLEN)
return TRUE;
}
return FALSE;
}
/**
* Very crude Server Name Indication (TLS ClientHello hostname) extractor.
*/
static int extract_sni(const char *pktdata, unsigned int pktlen,
char **hostnameaddr, unsigned int *hostnamelen) {
unsigned int ptr = 0;
unsigned const char *d = (unsigned const char *)pktdata;
unsigned const char *hnaddr = 0;
int hnlen = 0;
while (ptr + 8 < pktlen) {
/* Search for specific Extensions sequence */
if (d[ptr] == '\0' && d[ptr+1] == '\0' && d[ptr+2] == '\0' &&
d[ptr+4] == '\0' && d[ptr+6] == '\0' && d[ptr+7] == '\0' &&
/* Check Extension length, Server Name list length
* and Server Name length relations
*/
d[ptr+3] - d[ptr+5] == 2 && d[ptr+5] - d[ptr+8] == 3)
{
if (ptr + 8 + d[ptr+8] > pktlen) {
return FALSE;
}
hnaddr = &d[ptr+9];
hnlen = d[ptr+8];
/* Limit hostname size up to 253 bytes */
if (hnlen < 3 || hnlen > HOST_MAXLEN) {
return FALSE;
}
/* Validate that hostname has only ascii lowercase characters */
for (int i=0; i<hnlen; i++) {
if (!( (hnaddr[i] >= '0' && hnaddr[i] <= '9') ||
(hnaddr[i] >= 'a' && hnaddr[i] <= 'z') ||
hnaddr[i] == '.' || hnaddr[i] == '-'))
{
return FALSE;
}
}
*hostnameaddr = (char*)hnaddr;
*hostnamelen = (unsigned int)hnlen;
return TRUE;
}
ptr++;
}
return FALSE;
}
static inline void change_window_size(const PWINDIVERT_TCPHDR ppTcpHdr, unsigned int size) {
if (size >= 1 && size <= 0xFFFFu) {
ppTcpHdr->Window = htons((u_short)size);
@ -360,16 +468,23 @@ static PVOID find_http_method_end(const char *pkt, unsigned int http_frag, int *
* This function cuts off the end of the packet (step=0) or
* the beginning of the packet (step=1) with fragment_size bytes.
*/
static PVOID send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
static void send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
char *packet, UINT packetLen, PVOID packet_data,
UINT packet_dataLen, int packet_v4, int packet_v6,
PWINDIVERT_IPHDR ppIpHdr, PWINDIVERT_IPV6HDR ppIpV6Hdr,
PWINDIVERT_TCPHDR ppTcpHdr,
int fragment_size, int step) {
unsigned int fragment_size, int step) {
char packet_bak[MAX_PACKET_SIZE];
memcpy(&packet_bak, packet, packetLen);
memcpy(packet_bak, packet, packetLen);
UINT orig_packetLen = packetLen;
if (fragment_size >= packet_dataLen) {
if (step == 1)
fragment_size = 0;
else
return;
}
if (step == 0) {
if (packet_v4)
ppIpHdr->Length = htons(
@ -399,15 +514,15 @@ static PVOID send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
//printf("step1 (%d:%d), pp:%d, was:%d, now:%d\n", packet_v4, packet_v6, ntohs(ppIpHdr->Length),
// packetLen, packetLen - fragment_size);
memmove(packet_data,
packet_data + fragment_size,
(char*)packet_data + fragment_size,
packet_dataLen - fragment_size);
packetLen -= fragment_size;
ppTcpHdr->SeqNum = htonl(ntohl(ppTcpHdr->SeqNum) + fragment_size);
}
addr.PseudoIPChecksum = 0;
addr.PseudoTCPChecksum = 0;
addr.IPChecksum = 0;
addr.TCPChecksum = 0;
WinDivertHelperCalcChecksums(
packet, packetLen, &addr, 0
@ -415,9 +530,9 @@ static PVOID send_native_fragment(HANDLE w_filter, WINDIVERT_ADDRESS addr,
WinDivertSend(
w_filter, packet,
packetLen,
&addr, NULL
NULL, &addr
);
memcpy(packet, &packet_bak, orig_packetLen);
memcpy(packet, packet_bak, orig_packetLen);
//printf("Sent native fragment of %d size (step%d)\n", packetLen, step);
}
@ -428,6 +543,7 @@ int main(int argc, char *argv[]) {
ipv6_tcp, ipv6_tcp_data, ipv6_udp_data
} packet_type;
int i, should_reinject, should_recalc_checksum = 0;
int sni_ok = 0;
int opt;
int packet_v4, packet_v6;
HANDLE w_filter = NULL;
@ -441,6 +557,7 @@ int main(int argc, char *argv[]) {
PWINDIVERT_TCPHDR ppTcpHdr;
PWINDIVERT_UDPHDR ppUdpHdr;
conntrack_info_t dns_conn_info;
tcp_conntrack_info_t tcp_conn_info;
int do_passivedpi = 0, do_fragment_http = 0,
do_fragment_http_persistent = 0,
@ -450,14 +567,24 @@ int main(int argc, char *argv[]) {
do_http_allports = 0,
do_host_mixedcase = 0,
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
do_dns_verb = 0, do_blacklist = 0,
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
do_allow_no_sni = 0,
do_fragment_by_sni = 0,
do_fake_packet = 0,
do_auto_ttl = 0,
do_wrong_chksum = 0,
do_wrong_seq = 0,
do_native_frag = 0, do_reverse_frag = 0;
unsigned int http_fragment_size = 0;
unsigned int https_fragment_size = 0;
unsigned int current_fragment_size = 0;
unsigned short max_payload_size = 0;
BYTE should_send_fake = 0;
BYTE ttl_of_fake_packet = 0;
BYTE ttl_min_nhops = 0;
BYTE auto_ttl_1 = 0;
BYTE auto_ttl_2 = 0;
BYTE auto_ttl_max = 0;
uint32_t dnsv4_addr = 0;
struct in6_addr dnsv6_addr = {0};
struct in6_addr dns_temp_addr = {0};
@ -504,15 +631,17 @@ int main(int argc, char *argv[]) {
);
if (argc == 1) {
/* enable mode -1 by default */
/* enable mode -5 by default */
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_passivedpi = do_host = do_host_removespace \
= do_fragment_http = do_fragment_https \
= do_fragment_http_persistent \
= do_fragment_http_persistent_nowait = 1;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_auto_ttl = 1;
max_payload_size = 1200;
}
while ((opt = getopt_long(argc, argv, "1234prsaf:e:mwk:n", long_options, NULL)) != -1) {
while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) {
switch (opt) {
case '1':
do_passivedpi = do_host = do_host_removespace \
@ -535,6 +664,24 @@ int main(int argc, char *argv[]) {
case '4':
do_passivedpi = do_host = do_host_removespace = 1;
break;
case '5':
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_auto_ttl = 1;
max_payload_size = 1200;
break;
case '6':
do_fragment_http = do_fragment_https = 1;
do_reverse_frag = do_native_frag = 1;
http_fragment_size = https_fragment_size = 2;
do_fragment_http_persistent = do_fragment_http_persistent_nowait = 1;
do_fake_packet = 1;
do_wrong_seq = 1;
max_payload_size = 1200;
break;
case 'p':
do_passivedpi = 1;
break;
@ -572,7 +719,7 @@ int main(int argc, char *argv[]) {
case 'w':
do_http_allports = 1;
break;
case 'z':
case 'z': // --port
/* i is used as a temporary variable here */
i = atoi(optarg);
if (i <= 0 || i > 65535) {
@ -583,13 +730,13 @@ int main(int argc, char *argv[]) {
add_filter_str(IPPROTO_TCP, i);
i = 0;
break;
case 'i':
case 'i': // --ip-id
/* i is used as a temporary variable here */
i = atousi(optarg, "IP ID parameter error!\n");
add_ip_id_str(i);
i = 0;
break;
case 'd':
case 'd': // --dns-addr
if ((inet_pton(AF_INET, optarg, dns_temp_addr.s6_addr) == 1) &&
!do_dnsv4_redirect)
{
@ -605,7 +752,7 @@ int main(int argc, char *argv[]) {
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
break;
case '!':
case '!': // --dnsv6-addr
if ((inet_pton(AF_INET6, optarg, dns_temp_addr.s6_addr) == 1) &&
!do_dnsv6_redirect)
{
@ -621,7 +768,7 @@ int main(int argc, char *argv[]) {
puts("DNS address parameter error!");
exit(EXIT_FAILURE);
break;
case 'g':
case 'g': // --dns-port
if (!do_dnsv4_redirect) {
puts("--dns-port should be used with --dns-addr!\n"
"Make sure you use --dns-addr and pass it before "
@ -634,7 +781,7 @@ int main(int argc, char *argv[]) {
}
dnsv4_port = htons(dnsv4_port);
break;
case '@':
case '@': // --dnsv6-port
if (!do_dnsv6_redirect) {
puts("--dnsv6-port should be used with --dnsv6-addr!\n"
"Make sure you use --dnsv6-addr and pass it before "
@ -649,33 +796,91 @@ int main(int argc, char *argv[]) {
break;
case 'v':
do_dns_verb = 1;
do_tcp_verb = 1;
break;
case 'b':
case 'b': // --blacklist
do_blacklist = 1;
if (!blackwhitelist_load_list(optarg)) {
printf("Can't load blacklist from file!\n");
exit(EXIT_FAILURE);
}
break;
case '$':
case ']': // --allow-no-sni
do_allow_no_sni = 1;
break;
case '>': // --frag-by-sni
do_fragment_by_sni = 1;
break;
case '$': // --set-ttl
do_auto_ttl = auto_ttl_1 = auto_ttl_2 = auto_ttl_max = 0;
do_fake_packet = 1;
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
break;
case '%':
case '[': // --min-ttl
do_fake_packet = 1;
ttl_min_nhops = atoub(optarg, "Set Minimum TTL number of hops parameter error!");
break;
case '+': // --auto-ttl
do_fake_packet = 1;
do_auto_ttl = 1;
if (!optarg && argv[optind] && argv[optind][0] != '-')
optarg = argv[optind];
if (optarg) {
char *autottl_copy = strdup(optarg);
if (strchr(autottl_copy, '-')) {
// token "-" found, start X-Y parser
char *autottl_current = strtok(autottl_copy, "-");
auto_ttl_1 = atoub(autottl_current, "Set Auto TTL parameter error!");
autottl_current = strtok(NULL, "-");
if (!autottl_current) {
puts("Set Auto TTL parameter error!");
exit(EXIT_FAILURE);
}
auto_ttl_2 = atoub(autottl_current, "Set Auto TTL parameter error!");
autottl_current = strtok(NULL, "-");
if (!autottl_current) {
puts("Set Auto TTL parameter error!");
exit(EXIT_FAILURE);
}
auto_ttl_max = atoub(autottl_current, "Set Auto TTL parameter error!");
}
else {
// single digit parser
auto_ttl_2 = atoub(optarg, "Set Auto TTL parameter error!");
auto_ttl_1 = auto_ttl_2;
}
free(autottl_copy);
}
break;
case '%': // --wrong-chksum
do_fake_packet = 1;
do_wrong_chksum = 1;
break;
case '*':
case ')': // --wrong-seq
do_fake_packet = 1;
do_wrong_seq = 1;
break;
case '*': // --native-frag
do_native_frag = 1;
do_fragment_http_persistent = 1;
do_fragment_http_persistent_nowait = 1;
break;
case '(':
case '(': // --reverse-frag
do_reverse_frag = 1;
do_native_frag = 1;
do_fragment_http_persistent = 1;
do_fragment_http_persistent_nowait = 1;
break;
case '|': // --max-payload
if (!optarg && argv[optind] && argv[optind][0] != '-')
optarg = argv[optind];
if (optarg)
max_payload_size = atousi(optarg, "Max payload size parameter error!");
else
max_payload_size = 1200;
break;
default:
puts("Usage: goodbyedpi.exe [OPTION...]\n"
" -p block passive DPI\n"
@ -683,37 +888,58 @@ int main(int argc, char *argv[]) {
" -s remove space between host header and its value\n"
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
" -m mix Host header case (test.com -> tEsT.cOm)\n"
" -f [value] set HTTP fragmentation to value\n"
" -k [value] enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
" -f <value> set HTTP fragmentation to value\n"
" -k <value> enable HTTP persistent (keep-alive) fragmentation and set it to value\n"
" -n do not wait for first segment ACK when -k is enabled\n"
" -e [value] set HTTPS fragmentation to value\n"
" -e <value> set HTTPS fragmentation to value\n"
" -w try to find and parse HTTP traffic on all processed ports (not only on port 80)\n"
" --port [value] additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id [value] handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" --dns-addr [value] redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
" --dns-port [value] redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
" --dnsv6-addr [value] redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
" --dnsv6-port [value] redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
" --port <value> additional TCP port to perform fragmentation on (and HTTP tricks with -w)\n"
" --ip-id <value> handle additional IP ID (decimal, drop redirects and TCP RSTs with this ID).\n"
" --dns-addr <value> redirect UDPv4 DNS requests to the supplied IPv4 address (experimental)\n"
" --dns-port <value> redirect UDPv4 DNS requests to the supplied port (53 by default)\n"
" --dnsv6-addr <value> redirect UDPv6 DNS requests to the supplied IPv6 address (experimental)\n"
" --dnsv6-port <value> redirect UDPv6 DNS requests to the supplied port (53 by default)\n"
" --dns-verb print verbose DNS redirection messages\n"
" --blacklist [txtfile] perform HTTP tricks only to host names and subdomains from\n"
" supplied text file. This option can be supplied multiple times.\n"
" --set-ttl [value] activate Fake Request Mode and send it with supplied TTL value.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care.\n"
" Could be combined with --wrong-chksum.\n"
" --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from\n"
" supplied text file (HTTP Host/TLS SNI).\n"
" This option can be supplied multiple times.\n"
" --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
" --frag-by-sni if SNI is detected in TLS packet, fragment the packet right before SNI value.\n"
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
" --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n"
" it based on a distance. If the distance is shorter than a2, TTL is decreased\n"
" by a2. If it's longer, (a1; a2) scale is used with the distance as a weight.\n"
" If the resulting TTL is more than m(ax), set it to m.\n"
" Default (if set): --auto-ttl 1-4-10. Also sets --min-ttl 3.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
" --min-ttl <value> minimum TTL distance (128/64 - TTL) for which to send Fake Request\n"
" in --set-ttl and --auto-ttl modes.\n"
" --wrong-chksum activate Fake Request Mode and send it with incorrect TCP checksum.\n"
" May not work in a VM or with some routers, but is safer than set-ttl.\n"
" Could be combined with --set-ttl\n"
" --wrong-seq activate Fake Request Mode and send it with TCP SEQ/ACK in the past.\n"
" --native-frag fragment (split) the packets by sending them in smaller packets, without\n"
" shrinking the Window Size. Works faster (does not slow down the connection)\n"
" and better.\n"
" --reverse-frag fragment (split) the packets just as --native-frag, but send them in the\n"
" reversed order. Works with the websites which could not handle segmented\n"
" HTTPS TLS ClientHello (because they receive the TCP flow \"combined\").\n"
"\n"
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode, default)\n"
" --max-payload [value] packets with TCP payload data more than [value] won't be processed.\n"
" Use this option to reduce CPU usage by skipping huge amount of data\n"
" (like file transfers) in already established sessions.\n"
" May skip some huge HTTP requests from being processed.\n"
" Default (if set): --max-payload 1200.\n"
"\n");
puts("LEGACY modesets:\n"
" -1 -p -r -s -f 2 -k 2 -n -e 2 (most compatible mode)\n"
" -2 -p -r -s -f 2 -k 2 -n -e 40 (better speed for HTTPS yet still compatible)\n"
" -3 -p -r -s -e 40 (better speed for HTTP and HTTPS)\n"
" -4 -p -r -s (best speed)");
" -4 -p -r -s (best speed)"
"\n"
"Modern modesets (more stable, more compatible, faster):\n"
" -5 -f 2 -e 2 --auto-ttl --reverse-frag --max-payload (this is the default)\n"
" -6 -f 2 -e 2 --wrong-seq --reverse-frag --max-payload\n");
exit(EXIT_FAILURE);
}
}
@ -722,31 +948,77 @@ int main(int argc, char *argv[]) {
http_fragment_size = 2;
if (!https_fragment_size)
https_fragment_size = 2;
printf("Block passive: %d\nFragment HTTP: %d\nFragment persistent HTTP: %d\n"
"Fragment HTTPS: %d\nNative fragmentation (splitting): %d\n"
"Fragments sending in reverse: %d\n"
"hoSt: %d\nHost no space: %d\nAdditional space: %d\n"
"Mix Host: %d\nHTTP AllPorts: %d\nHTTP Persistent Nowait: %d\n"
"DNS redirect: %d\nDNSv6 redirect: %d\n"
"Fake requests, TTL: %hu\nFake requests, wrong checksum: %d\n",
do_passivedpi, (do_fragment_http ? http_fragment_size : 0),
(do_fragment_http_persistent ? http_fragment_size : 0),
(do_fragment_https ? https_fragment_size : 0),
do_native_frag, do_reverse_frag,
do_host, do_host_removespace, do_additional_space, do_host_mixedcase,
do_http_allports, do_fragment_http_persistent_nowait, do_dnsv4_redirect,
do_dnsv6_redirect, ttl_of_fake_packet, do_wrong_chksum
);
if (do_fragment_http && http_fragment_size > 2) {
printf("WARNING: HTTP fragmentation values > 2 are not fully compatible "
"with other options. Please use values <= 2 or disable HTTP fragmentation "
"completely.\n");
if (!auto_ttl_1)
auto_ttl_1 = 1;
if (!auto_ttl_2)
auto_ttl_2 = 4;
if (do_auto_ttl) {
if (!ttl_min_nhops)
ttl_min_nhops = 3;
if (!auto_ttl_max)
auto_ttl_max = 10;
}
printf("\nOpening filter\n");
printf("Block passive: %d\n" /* 1 */
"Fragment HTTP: %u\n" /* 2 */
"Fragment persistent HTTP: %u\n" /* 3 */
"Fragment HTTPS: %u\n" /* 4 */
"Fragment by SNI: %u\n" /* 5 */
"Native fragmentation (splitting): %d\n" /* 5 */
"Fragments sending in reverse: %d\n" /* 6 */
"hoSt: %d\n" /* 7 */
"Host no space: %d\n" /* 8 */
"Additional space: %d\n" /* 9 */
"Mix Host: %d\n" /* 10 */
"HTTP AllPorts: %d\n" /* 11 */
"HTTP Persistent Nowait: %d\n" /* 12 */
"DNS redirect: %d\n" /* 13 */
"DNSv6 redirect: %d\n" /* 14 */
"Allow missing SNI: %d\n" /* 15 */
"Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 16 */
"Fake requests, wrong checksum: %d\n" /* 17 */
"Fake requests, wrong SEQ/ACK: %d\n" /* 18 */
"Max payload size: %hu\n", /* 19 */
do_passivedpi, /* 1 */
(do_fragment_http ? http_fragment_size : 0), /* 2 */
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
(do_fragment_https ? https_fragment_size : 0), /* 4 */
do_fragment_by_sni, /* 5 */
do_native_frag, /* 6 */
do_reverse_frag, /* 7 */
do_host, /* 8 */
do_host_removespace, /* 9 */
do_additional_space, /* 10 */
do_host_mixedcase, /* 11 */
do_http_allports, /* 12 */
do_fragment_http_persistent_nowait, /* 13 */
do_dnsv4_redirect, /* 14 */
do_dnsv6_redirect, /* 15 */
do_allow_no_sni, /* 16 */
do_auto_ttl ? "auto" : (do_fake_packet ? "fixed" : "disabled"), /* 17 */
ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
do_wrong_chksum, /* 18 */
do_wrong_seq, /* 19 */
max_payload_size /* 20 */
);
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
puts("\nWARNING: HTTP fragmentation values > 2 are not fully compatible "
"with other options. Please use values <= 2 or disable HTTP fragmentation "
"completely.");
}
if (do_native_frag && !(do_fragment_http || do_fragment_https)) {
puts("\nERROR: Native fragmentation is enabled but fragment sizes are not set.\n"
"Fragmentation has no effect.");
die();
}
if (max_payload_size)
add_maxpayloadsize_str(max_payload_size);
finalize_filter_strings();
puts("\nOpening filter");
filter_num = 0;
if (do_passivedpi) {
@ -773,15 +1045,16 @@ int main(int argc, char *argv[]) {
die();
}
printf("Filter activated!\n");
printf("Filter activated, GoodbyeDPI is now running!\n");
signal(SIGINT, sigint_handler);
while (1) {
if (WinDivertRecv(w_filter, packet, sizeof(packet), &addr, &packetLen)) {
debug("Got %s packet, len=%d!\n", addr.Direction ? "inbound" : "outbound",
if (WinDivertRecv(w_filter, packet, sizeof(packet), &packetLen, &addr)) {
debug("Got %s packet, len=%d!\n", addr.Outbound ? "outbound" : "inbound",
packetLen);
should_reinject = 1;
should_recalc_checksum = 0;
sni_ok = 0;
ppIpHdr = (PWINDIVERT_IPHDR)NULL;
ppIpV6Hdr = (PWINDIVERT_IPV6HDR)NULL;
@ -791,35 +1064,35 @@ int main(int argc, char *argv[]) {
packet_type = unknown;
// Parse network packet and set it's type
if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
if (WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
&ppIpV6Hdr, NULL, NULL, NULL, &ppTcpHdr, &ppUdpHdr, &packet_data, &packet_dataLen,
NULL, NULL))
{
packet_type = ipv4_tcp_data;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, &packet_data, &packet_dataLen)))
{
packet_type = ipv6_tcp_data;
}
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
{
packet_type = ipv4_tcp;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, &ppTcpHdr, NULL, NULL, NULL)))
{
packet_type = ipv6_tcp;
}
else if ((packet_v4 = WinDivertHelperParsePacket(packet, packetLen, &ppIpHdr,
NULL, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
{
packet_type = ipv4_udp_data;
}
else if ((packet_v6 = WinDivertHelperParsePacket(packet, packetLen, NULL,
&ppIpV6Hdr, NULL, NULL, NULL, &ppUdpHdr, &packet_data, &packet_dataLen)))
{
packet_type = ipv6_udp_data;
if (ppIpHdr) {
packet_v4 = 1;
if (ppTcpHdr) {
packet_type = ipv4_tcp;
if (packet_data) {
packet_type = ipv4_tcp_data;
}
}
else if (ppUdpHdr && packet_data) {
packet_type = ipv4_udp_data;
}
}
else if (ppIpV6Hdr) {
packet_v6 = 1;
if (ppTcpHdr) {
packet_type = ipv6_tcp;
if (packet_data) {
packet_type = ipv6_tcp_data;
}
}
else if (ppUdpHdr && packet_data) {
packet_type = ipv6_udp_data;
}
}
}
debug("packet_type: %d, packet_v4: %d, packet_v6: %d\n", packet_type, packet_v4, packet_v6);
@ -829,7 +1102,7 @@ int main(int argc, char *argv[]) {
/* Got a TCP packet WITH DATA */
/* Handle INBOUND packet with data and find HTTP REDIRECT in there */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND && packet_dataLen > 16) {
if (!addr.Outbound && packet_dataLen > 16) {
/* If INBOUND packet with DATA (tcp.Ack) */
/* Drop packets from filter with HTTP 30x Redirect */
@ -853,26 +1126,51 @@ int main(int argc, char *argv[]) {
/* Handle OUTBOUND packet on port 443, search for something that resembles
* TLS handshake, send fake request.
*/
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
else if (addr.Outbound &&
((do_fragment_https ? packet_dataLen == https_fragment_size : 0) ||
packet_dataLen > 16) &&
ppTcpHdr->DstPort != htons(80) &&
(do_fake_packet || do_native_frag)
)
{
if (packet_dataLen >=2 && memcmp(packet_data, "\x16\x03", 2) == 0) {
if (do_fake_packet) {
send_fake_https_request(w_filter, &addr, packet, packetLen, packet_v6,
ttl_of_fake_packet, do_wrong_chksum);
/**
* In case of Window Size fragmentation=2, we'll receive only 2 byte packet.
* But if the packet is more than 2 bytes, check ClientHello byte.
*/
if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
(packet_dataLen >= 3 && ( memcmp(packet_data, "\x16\x03\x01", 3) == 0 || memcmp(packet_data, "\x16\x03\x03", 3) == 0 )))
{
if (do_blacklist || do_fragment_by_sni) {
sni_ok = extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len);
}
if (do_native_frag) {
// Signal for native fragmentation code handler
should_recalc_checksum = 1;
if (
(do_blacklist && sni_ok &&
blackwhitelist_check_hostname(host_addr, host_len)
) ||
(do_blacklist && !sni_ok && do_allow_no_sni) ||
(!do_blacklist)
)
{
#ifdef DEBUG
char lsni[HOST_MAXLEN + 1] = {0};
extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len);
memcpy(lsni, host_addr, host_len);
printf("Blocked HTTPS website SNI: %s\n", lsni);
#endif
if (do_fake_packet) {
TCP_HANDLE_OUTGOING_FAKE_PACKET(send_fake_https_request);
}
if (do_native_frag) {
// Signal for native fragmentation code handler
should_recalc_checksum = 1;
}
}
}
}
/* Handle OUTBOUND packet on port 80, search for Host header */
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND &&
else if (addr.Outbound &&
packet_dataLen > 16 &&
(do_http_allports ? 1 : (ppTcpHdr->DstPort == htons(80))) &&
find_http_method_end(packet_data,
@ -891,15 +1189,20 @@ int main(int argc, char *argv[]) {
{
host_addr = hdr_value_addr;
host_len = hdr_value_len;
#ifdef DEBUG
char lhost[HOST_MAXLEN + 1] = {0};
memcpy(lhost, host_addr, host_len);
printf("Blocked HTTP website Host: %s\n", lhost);
#endif
if (do_native_frag) {
// Signal for native fragmentation code handler
should_recalc_checksum = 1;
}
if (do_fake_packet)
send_fake_http_request(w_filter, &addr, packet, packetLen, packet_v6,
ttl_of_fake_packet, do_wrong_chksum);
if (do_fake_packet) {
TCP_HANDLE_OUTGOING_FAKE_PACKET(send_fake_http_request);
}
if (do_host_mixedcase) {
mix_case(host_addr, host_len);
@ -923,7 +1226,7 @@ int main(int argc, char *argv[]) {
if (method_addr) {
memmove(method_addr + 1, method_addr,
(PVOID)host_addr - (PVOID)method_addr - 1);
(size_t)(host_addr - method_addr - 1));
should_recalc_checksum = 1;
}
}
@ -951,10 +1254,10 @@ int main(int argc, char *argv[]) {
* to the end of User-Agent
*/
memmove(host_addr - 1, host_addr,
(PVOID)useragent_addr + useragent_len - (PVOID)host_addr);
(size_t)(useragent_addr + useragent_len - host_addr));
host_addr -= 1;
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len - 1) = ' ';
*(char*)((unsigned char*)useragent_addr + useragent_len - 1) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
@ -964,11 +1267,11 @@ int main(int argc, char *argv[]) {
/* Move one byte to the RIGHT from the end of User-Agent
* to the "Host:"
*/
memmove((PVOID)useragent_addr + useragent_len + 1,
(PVOID)useragent_addr + useragent_len,
(PVOID)host_addr - 1 - ((PVOID)useragent_addr + useragent_len));
memmove(useragent_addr + useragent_len + 1,
useragent_addr + useragent_len,
(size_t)(host_addr - 1 - (useragent_addr + useragent_len)));
/* Put space in the end of User-Agent header */
*(char*)((PVOID)useragent_addr + useragent_len) = ' ';
*(char*)((unsigned char*)useragent_addr + useragent_len) = ' ';
should_recalc_checksum = 1;
//printf("Replaced Host header!\n");
}
@ -990,7 +1293,11 @@ int main(int argc, char *argv[]) {
current_fragment_size = http_fragment_size;
}
else if (do_fragment_https && ppTcpHdr->DstPort != htons(80)) {
current_fragment_size = https_fragment_size;
if (do_fragment_by_sni && sni_ok) {
current_fragment_size = (void*)host_addr - packet_data;
} else {
current_fragment_size = https_fragment_size;
}
}
if (current_fragment_size) {
@ -1011,21 +1318,38 @@ int main(int argc, char *argv[]) {
/* Else if we got TCP packet without data */
else if (packet_type == ipv4_tcp || packet_type == ipv6_tcp) {
/* If we got INBOUND SYN+ACK packet */
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND &&
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1 &&
!do_native_frag) {
if (!addr.Outbound &&
ppTcpHdr->Syn == 1 && ppTcpHdr->Ack == 1) {
//printf("Changing Window Size!\n");
/*
* Window Size is changed even if do_fragment_http_persistent
* is enabled as there could be non-HTTP data on port 80
*/
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(ppTcpHdr, http_fragment_size);
should_recalc_checksum = 1;
if (do_fake_packet && (do_auto_ttl || ttl_min_nhops)) {
if (!((packet_v4 && tcp_handle_incoming(&ppIpHdr->SrcAddr, &ppIpHdr->DstAddr,
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
0, ppIpHdr->TTL))
||
(packet_v6 && tcp_handle_incoming((uint32_t*)&ppIpV6Hdr->SrcAddr,
(uint32_t*)&ppIpV6Hdr->DstAddr,
ppTcpHdr->SrcPort, ppTcpHdr->DstPort,
1, ppIpV6Hdr->HopLimit))))
{
if (do_tcp_verb)
puts("[TCP WARN] Can't add TCP connection record.");
}
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(ppTcpHdr, https_fragment_size);
should_recalc_checksum = 1;
if (!do_native_frag) {
if (do_fragment_http && ppTcpHdr->SrcPort == htons(80)) {
change_window_size(ppTcpHdr, http_fragment_size);
should_recalc_checksum = 1;
}
else if (do_fragment_https && ppTcpHdr->SrcPort != htons(80)) {
change_window_size(ppTcpHdr, https_fragment_size);
should_recalc_checksum = 1;
}
}
}
}
@ -1034,7 +1358,7 @@ int main(int argc, char *argv[]) {
else if ((do_dnsv4_redirect && (packet_type == ipv4_udp_data)) ||
(do_dnsv6_redirect && (packet_type == ipv6_udp_data)))
{
if (addr.Direction == WINDIVERT_DIRECTION_INBOUND) {
if (!addr.Outbound) {
if ((packet_v4 && dns_handle_incoming(&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen,
&dns_conn_info, 0))
@ -1064,7 +1388,7 @@ int main(int argc, char *argv[]) {
}
}
else if (addr.Direction == WINDIVERT_DIRECTION_OUTBOUND) {
else if (addr.Outbound) {
if ((packet_v4 && dns_handle_outgoing(&ppIpHdr->SrcAddr, ppUdpHdr->SrcPort,
&ppIpHdr->DstAddr, ppUdpHdr->DstPort,
packet_data, packet_dataLen, 0))
@ -1100,14 +1424,15 @@ int main(int argc, char *argv[]) {
if (should_reinject) {
//printf("Re-injecting!\n");
if (should_recalc_checksum) {
WinDivertHelperCalcChecksums(packet, packetLen, &addr, NULL);
WinDivertHelperCalcChecksums(packet, packetLen, &addr, (UINT64)0LL);
}
WinDivertSend(w_filter, packet, packetLen, &addr, NULL);
WinDivertSend(w_filter, packet, packetLen, NULL, &addr);
}
}
else {
// error, ignore
printf("Error receiving packet!\n");
if (!exiting)
printf("Error receiving packet!\n");
break;
}
}

4
src/service.c
View File

@ -30,7 +30,7 @@ int service_register(int argc, char *argv[])
*/
if (!service_argc && !service_argv) {
service_argc = argc;
service_argv = malloc(sizeof(void*) * argc);
service_argv = calloc((size_t)(argc + 1), sizeof(void*));
for (i = 0; i < argc; i++) {
service_argv[i] = strdup(argv[i]);
}
@ -71,7 +71,7 @@ void service_main(int argc __attribute__((unused)),
SetServiceStatus(hStatus, &ServiceStatus);
// Calling main with saved argc & argv
ServiceStatus.dwWin32ExitCode = main(service_argc, service_argv);
ServiceStatus.dwWin32ExitCode = (DWORD)main(service_argc, service_argv);
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus(hStatus, &ServiceStatus);
return;

252
src/ttltrack.c Normal file
View File

@ -0,0 +1,252 @@
/**
* TCP (TTL) Connection Tracker for GoodbyeDPI
*
* Monitors SYN/ACK only, to extract the TTL value of the remote server.
*
*/
#include <windows.h>
#include <time.h>
#include <stdio.h>
#include <math.h>
#include "goodbyedpi.h"
#include "ttltrack.h"
#include "utils/uthash.h"
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
#define TCP_CONNRECORD_KEY_LEN 37
#define TCP_CLEANUP_INTERVAL_SEC 30
/* HACK!
* uthash uses strlen() for HASH_FIND_STR.
* We have null bytes in our key, so we can't use strlen()
* And since it's always TCP_CONNRECORD_KEY_LEN bytes long,
* we don't need to use any string function to determine length.
*/
#undef uthash_strlen
#define uthash_strlen(s) TCP_CONNRECORD_KEY_LEN
typedef struct tcp_connrecord {
/* key ('4' for IPv4 or '6' for IPv6 + srcip[16] + dstip[16] + srcport[2] + dstport[2]) */
char key[TCP_CONNRECORD_KEY_LEN];
time_t time; /* time when this record was added */
uint16_t ttl;
UT_hash_handle hh; /* makes this structure hashable */
} tcp_connrecord_t;
static time_t last_cleanup = 0;
static tcp_connrecord_t *conntrack = NULL;
inline static void fill_key_data(char *key, const uint8_t is_ipv6, const uint32_t srcip[4],
const uint32_t dstip[4], const uint16_t srcport, const uint16_t dstport)
{
unsigned int offset = 0;
if (is_ipv6) {
*(uint8_t*)(key) = '6';
offset += sizeof(uint8_t);
ipv6_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
else {
*(uint8_t*)(key) = '4';
offset += sizeof(uint8_t);
ipv4_copy_addr((uint32_t*)(key + offset), srcip);
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr((uint32_t*)(key + offset), dstip);
offset += sizeof(uint32_t) * 4;
}
*(uint16_t*)(key + offset) = srcport;
offset += sizeof(srcport);
*(uint16_t*)(key + offset) = dstport;
offset += sizeof(dstport);
}
inline static void fill_data_from_key(uint8_t *is_ipv6, uint32_t srcip[4], uint32_t dstip[4],
uint16_t *srcport, uint16_t *dstport, const char *key)
{
unsigned int offset = 0;
if (key[0] == '6') {
*is_ipv6 = 1;
offset += sizeof(uint8_t);
ipv6_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv6_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
else {
*is_ipv6 = 0;
offset += sizeof(uint8_t);
ipv4_copy_addr(srcip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
ipv4_copy_addr(dstip, (uint32_t*)(key + offset));
offset += sizeof(uint32_t) * 4;
}
*srcport = *(uint16_t*)(key + offset);
offset += sizeof(*srcport);
*dstport = *(uint16_t*)(key + offset);
offset += sizeof(*dstport);
}
inline static void construct_key(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
char *key, const uint8_t is_ipv6)
{
debug("Construct key enter\n");
if (key) {
debug("Constructing key\n");
fill_key_data(key, is_ipv6, srcip, dstip, srcport, dstport);
}
debug("Construct key end\n");
}
inline static void deconstruct_key(const char *key, const tcp_connrecord_t *connrecord,
tcp_conntrack_info_t *conn_info)
{
debug("Deconstruct key enter\n");
if (key && conn_info) {
debug("Deconstructing key\n");
fill_data_from_key(&conn_info->is_ipv6,
conn_info->srcip, conn_info->dstip,
&conn_info->srcport, &conn_info->dstport,
key);
conn_info->ttl = connrecord->ttl;
}
debug("Deconstruct key end\n");
}
static int check_get_tcp_conntrack_key(const char *key, tcp_connrecord_t **connrecord) {
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conntrack) return FALSE;
HASH_FIND_STR(conntrack, key, tmp_connrecord);
if (tmp_connrecord) {
if (connrecord)
*connrecord = tmp_connrecord;
debug("check_get_tcp_conntrack_key found key\n");
return TRUE;
}
debug("check_get_tcp_conntrack_key key not found\n");
return FALSE;
}
static int add_tcp_conntrack(const uint32_t srcip[4], const uint32_t dstip[4],
const uint16_t srcport, const uint16_t dstport,
const uint8_t is_ipv6, const uint8_t ttl
)
{
if (!(srcip && srcport && dstip && dstport))
return FALSE;
tcp_connrecord_t *tmp_connrecord = malloc(sizeof(tcp_connrecord_t));
construct_key(srcip, dstip, srcport, dstport, tmp_connrecord->key, is_ipv6);
if (!check_get_tcp_conntrack_key(tmp_connrecord->key, NULL)) {
tmp_connrecord->time = time(NULL);
tmp_connrecord->ttl = ttl;
HASH_ADD_STR(conntrack, key, tmp_connrecord);
debug("Added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
return TRUE;
}
debug("Not added TCP conntrack %u:%hu - %u:%hu\n", srcip[0], ntohs(srcport), dstip[0], ntohs(dstport));
free(tmp_connrecord);
return FALSE;
}
static void tcp_cleanup() {
tcp_connrecord_t *tmp_connrecord, *tmp_connrecord2 = NULL;
if (last_cleanup == 0) {
last_cleanup = time(NULL);
return;
}
if (difftime(time(NULL), last_cleanup) >= TCP_CLEANUP_INTERVAL_SEC) {
last_cleanup = time(NULL);
HASH_ITER(hh, conntrack, tmp_connrecord, tmp_connrecord2) {
if (difftime(last_cleanup, tmp_connrecord->time) >= TCP_CLEANUP_INTERVAL_SEC) {
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
}
}
}
}
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl)
{
tcp_cleanup();
debug("trying to add TCP srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return add_tcp_conntrack(srcip, dstip, srcport, dstport, is_ipv6, ttl);
debug("____tcp_handle_incoming FALSE: srcport = %hu, dstport = %hu\n", ntohs(srcport), ntohs(dstport));
return FALSE;
}
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6)
{
char key[TCP_CONNRECORD_KEY_LEN];
tcp_connrecord_t *tmp_connrecord = NULL;
if (!conn_info)
return FALSE;
tcp_cleanup();
construct_key(dstip, srcip, dstport, srcport, key, is_ipv6);
if (check_get_tcp_conntrack_key(key, &tmp_connrecord) && tmp_connrecord) {
/* Connection exists in conntrack, moving on */
deconstruct_key(key, tmp_connrecord, conn_info);
HASH_DEL(conntrack, tmp_connrecord);
free(tmp_connrecord);
debug("____tcp_handle_outgoing TRUE: srcport = %hu\n", ntohs(srcport));
return TRUE;
}
debug("____tcp_handle_outgoing FALSE: srcport = %hu\n", ntohs(srcport));
return FALSE;
}
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t autottl1,
const uint8_t autottl2, const uint8_t minhops,
const uint8_t maxttl) {
uint8_t nhops = 0;
uint8_t ttl_of_fake_packet = 0;
if (ttl > 98 && ttl < 128) {
nhops = 128 - ttl;
}
else if (ttl > 34 && ttl < 64) {
nhops = 64 - ttl;
}
else {
return 0;
}
if (nhops <= autottl1 || nhops < minhops) {
return 0;
}
ttl_of_fake_packet = nhops - autottl2;
if (ttl_of_fake_packet < autottl2 && nhops <= 9) {
ttl_of_fake_packet = nhops - autottl1 - trunc((autottl2 - autottl1) * ((float)nhops/10));
}
if (maxttl && ttl_of_fake_packet > maxttl) {
ttl_of_fake_packet = maxttl;
}
return ttl_of_fake_packet;
}

27
src/ttltrack.h Normal file
View File

@ -0,0 +1,27 @@
#ifndef _TTLTRACK_H
#define _TTLTRACK_H
#include <stdint.h>
#include "dnsredir.h"
typedef struct tcp_conntrack_info {
uint8_t is_ipv6;
uint8_t ttl;
uint32_t srcip[4];
uint16_t srcport;
uint32_t dstip[4];
uint16_t dstport;
} tcp_conntrack_info_t;
int tcp_handle_incoming(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
uint8_t is_ipv6, uint8_t ttl);
int tcp_handle_outgoing(uint32_t srcip[4], uint32_t dstip[4],
uint16_t srcport, uint16_t dstport,
tcp_conntrack_info_t *conn_info,
uint8_t is_ipv6);
int tcp_get_auto_ttl(const uint8_t ttl, const uint8_t autottl1,
const uint8_t autottl2, const uint8_t minhops,
const uint8_t maxttl);
#endif

4
src/utils/repl_str.c
View File

@ -46,11 +46,11 @@ char *repl_str(const char *str, const char *from, const char *to) {
}
}
pos_cache[count-1] = pstr2 - str;
pos_cache[count-1] = (uintptr_t)(pstr2 - str);
pstr = pstr2 + fromlen;
}
orglen = pstr - str + strlen(pstr);
orglen = (size_t)(pstr - str) + strlen(pstr);
/* Allocate memory for the post-replacement string. */
if (count > 0) {

182
src/utils/uthash.h
View File

@ -1,5 +1,5 @@
/*
Copyright (c) 2003-2017, Troy D. Hanson http://troydhanson.github.com/uthash/
Copyright (c) 2003-2021, Troy D. Hanson http://troydhanson.github.io/uthash/
All rights reserved.
Redistribution and use in source and binary forms, with or without
@ -24,12 +24,22 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#ifndef UTHASH_H
#define UTHASH_H
#define UTHASH_VERSION 2.0.2
#define UTHASH_VERSION 2.3.0
#include <string.h> /* memcmp, memset, strlen */
#include <stddef.h> /* ptrdiff_t */
#include <stdlib.h> /* exit */
#if defined(HASH_DEFINE_OWN_STDINT) && HASH_DEFINE_OWN_STDINT
/* This codepath is provided for backward compatibility, but I plan to remove it. */
#warning "HASH_DEFINE_OWN_STDINT is deprecated; please use HASH_NO_STDINT instead"
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#elif defined(HASH_NO_STDINT) && HASH_NO_STDINT
#else
#include <stdint.h> /* uint8_t, uint32_t */
#endif
/* These macros use decltype or the earlier __typeof GNU extension.
As decltype is only available in newer compilers (VS2010 or gcc 4.3+
when compiling c++ source) this code uses whatever method is needed
@ -62,23 +72,6 @@ do {
} while (0)
#endif
/* a number of the hash function use uint32_t which isn't defined on Pre VS2010 */
#if defined(_WIN32)
#if defined(_MSC_VER) && _MSC_VER >= 1600
#include <stdint.h>
#elif defined(__WATCOMC__) || defined(__MINGW32__) || defined(__CYGWIN__)
#include <stdint.h>
#else
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#endif
#elif defined(__GNUC__) && !defined(__VXWORKS__)
#include <stdint.h>
#else
typedef unsigned int uint32_t;
typedef unsigned char uint8_t;
#endif
#ifndef uthash_malloc
#define uthash_malloc(sz) malloc(sz) /* malloc fcn */
#endif
@ -88,13 +81,18 @@ typedef unsigned char uint8_t;
#ifndef uthash_bzero
#define uthash_bzero(a,n) memset(a,'\0',n)
#endif
#ifndef uthash_memcmp
#define uthash_memcmp(a,b,n) memcmp(a,b,n)
#endif
#ifndef uthash_strlen
#define uthash_strlen(s) strlen(s)
#endif
#ifndef HASH_FUNCTION
#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv)
#endif
#ifndef HASH_KEYCMP
#define HASH_KEYCMP(a,b,n) memcmp(a,b,n)
#endif
#ifndef uthash_noexpand_fyi
#define uthash_noexpand_fyi(tbl) /* can be defined to log noexpand */
#endif
@ -136,7 +134,7 @@ typedef unsigned char uint8_t;
/* calculate the element whose hash handle address is hhp */
#define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho)))
/* calculate the hash handle from element address elp */
#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle *)(((char*)(elp)) + ((tbl)->hho)))
#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho)))
#define HASH_ROLLBACK_BKT(hh, head, itemptrhh) \
do { \
@ -150,7 +148,7 @@ do {
#define HASH_VALUE(keyptr,keylen,hashv) \
do { \
HASH_FCN(keyptr, keylen, hashv); \
HASH_FUNCTION(keyptr, keylen, hashv); \
} while (0)
#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \
@ -167,9 +165,12 @@ do {
#define HASH_FIND(hh,head,keyptr,keylen,out) \
do { \
unsigned _hf_hashv; \
HASH_VALUE(keyptr, keylen, _hf_hashv); \
HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \
(out) = NULL; \
if (head) { \
unsigned _hf_hashv; \
HASH_VALUE(keyptr, keylen, _hf_hashv); \
HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \
} \
} while (0)
#ifdef HASH_BLOOM
@ -397,7 +398,7 @@ do {
do { \
IF_HASH_NONFATAL_OOM( int _ha_oomed = 0; ) \
(add)->hh.hashv = (hashval); \
(add)->hh.key = (char*) (keyptr); \
(add)->hh.key = (const void*) (keyptr); \
(add)->hh.keylen = (unsigned) (keylen_in); \
if (!(head)) { \
(add)->hh.next = NULL; \
@ -478,11 +479,20 @@ do {
/* convenience forms of HASH_FIND/HASH_ADD/HASH_DEL */
#define HASH_FIND_STR(head,findstr,out) \
HASH_FIND(hh,head,findstr,(unsigned)uthash_strlen(findstr),out)
do { \
unsigned _uthash_hfstr_keylen = (unsigned)uthash_strlen(findstr); \
HASH_FIND(hh, head, findstr, _uthash_hfstr_keylen, out); \
} while (0)
#define HASH_ADD_STR(head,strfield,add) \
HASH_ADD(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add)
do { \
unsigned _uthash_hastr_keylen = (unsigned)uthash_strlen((add)->strfield); \
HASH_ADD(hh, head, strfield[0], _uthash_hastr_keylen, add); \
} while (0)
#define HASH_REPLACE_STR(head,strfield,add,replaced) \
HASH_REPLACE(hh,head,strfield[0],(unsigned)uthash_strlen(add->strfield),add,replaced)
do { \
unsigned _uthash_hrstr_keylen = (unsigned)uthash_strlen((add)->strfield); \
HASH_REPLACE(hh, head, strfield[0], _uthash_hrstr_keylen, add, replaced); \
} while (0)
#define HASH_FIND_INT(head,findint,out) \
HASH_FIND(hh,head,findint,sizeof(int),out)
#define HASH_ADD_INT(head,intfield,add) \
@ -502,7 +512,8 @@ do {
* This is for uthash developer only; it compiles away if HASH_DEBUG isn't defined.
*/
#ifdef HASH_DEBUG
#define HASH_OOPS(...) do { fprintf(stderr,__VA_ARGS__); exit(-1); } while (0)
#include <stdio.h> /* fprintf, stderr */
#define HASH_OOPS(...) do { fprintf(stderr, __VA_ARGS__); exit(-1); } while (0)
#define HASH_FSCK(hh,head,where) \
do { \
struct UT_hash_handle *_thh; \
@ -569,13 +580,6 @@ do {
#define HASH_EMIT_KEY(hh,head,keyptr,fieldlen)
#endif
/* default to Jenkin's hash unless overridden e.g. DHASH_FUNCTION=HASH_SAX */
#ifdef HASH_FUNCTION
#define HASH_FCN HASH_FUNCTION
#else
#define HASH_FCN HASH_JEN
#endif
/* The Bernstein hash function, used in Perl prior to v5.6. Note (x<<5+x)=x*33. */
#define HASH_BER(key,keylen,hashv) \
do { \
@ -674,7 +678,8 @@ do {
case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \
case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \
case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \
case 1: _hj_i += _hj_key[0]; \
case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \
default: ; \
} \
HASH_JEN_MIX(_hj_i, _hj_j, hashv); \
} while (0)
@ -722,6 +727,8 @@ do {
case 1: hashv += *_sfh_key; \
hashv ^= hashv << 10; \
hashv += hashv >> 1; \
break; \
default: ; \
} \
\
/* Force "avalanching" of final 127 bits */ \
@ -733,87 +740,6 @@ do {
hashv += hashv >> 6; \
} while (0)
#ifdef HASH_USING_NO_STRICT_ALIASING
/* The MurmurHash exploits some CPU's (x86,x86_64) tolerance for unaligned reads.
* For other types of CPU's (e.g. Sparc) an unaligned read causes a bus error.
* MurmurHash uses the faster approach only on CPU's where we know it's safe.
*
* Note the preprocessor built-in defines can be emitted using:
*
* gcc -m64 -dM -E - < /dev/null (on gcc)
* cc -## a.c (where a.c is a simple test file) (Sun Studio)
*/
#if (defined(__i386__) || defined(__x86_64__) || defined(_M_IX86))
#define MUR_GETBLOCK(p,i) p[i]
#else /* non intel */
#define MUR_PLUS0_ALIGNED(p) (((unsigned long)p & 3UL) == 0UL)
#define MUR_PLUS1_ALIGNED(p) (((unsigned long)p & 3UL) == 1UL)
#define MUR_PLUS2_ALIGNED(p) (((unsigned long)p & 3UL) == 2UL)
#define MUR_PLUS3_ALIGNED(p) (((unsigned long)p & 3UL) == 3UL)
#define WP(p) ((uint32_t*)((unsigned long)(p) & ~3UL))
#if (defined(__BIG_ENDIAN__) || defined(SPARC) || defined(__ppc__) || defined(__ppc64__))
#define MUR_THREE_ONE(p) ((((*WP(p))&0x00ffffff) << 8) | (((*(WP(p)+1))&0xff000000) >> 24))
#define MUR_TWO_TWO(p) ((((*WP(p))&0x0000ffff) <<16) | (((*(WP(p)+1))&0xffff0000) >> 16))
#define MUR_ONE_THREE(p) ((((*WP(p))&0x000000ff) <<24) | (((*(WP(p)+1))&0xffffff00) >> 8))
#else /* assume little endian non-intel */
#define MUR_THREE_ONE(p) ((((*WP(p))&0xffffff00) >> 8) | (((*(WP(p)+1))&0x000000ff) << 24))
#define MUR_TWO_TWO(p) ((((*WP(p))&0xffff0000) >>16) | (((*(WP(p)+1))&0x0000ffff) << 16))
#define MUR_ONE_THREE(p) ((((*WP(p))&0xff000000) >>24) | (((*(WP(p)+1))&0x00ffffff) << 8))
#endif
#define MUR_GETBLOCK(p,i) (MUR_PLUS0_ALIGNED(p) ? ((p)[i]) : \
(MUR_PLUS1_ALIGNED(p) ? MUR_THREE_ONE(p) : \
(MUR_PLUS2_ALIGNED(p) ? MUR_TWO_TWO(p) : \
MUR_ONE_THREE(p))))
#endif
#define MUR_ROTL32(x,r) (((x) << (r)) | ((x) >> (32 - (r))))
#define MUR_FMIX(_h) \
do { \
_h ^= _h >> 16; \
_h *= 0x85ebca6bu; \
_h ^= _h >> 13; \
_h *= 0xc2b2ae35u; \
_h ^= _h >> 16; \
} while (0)
#define HASH_MUR(key,keylen,hashv) \
do { \
const uint8_t *_mur_data = (const uint8_t*)(key); \
const int _mur_nblocks = (int)(keylen) / 4; \
uint32_t _mur_h1 = 0xf88D5353u; \
uint32_t _mur_c1 = 0xcc9e2d51u; \
uint32_t _mur_c2 = 0x1b873593u; \
uint32_t _mur_k1 = 0; \
const uint8_t *_mur_tail; \
const uint32_t *_mur_blocks = (const uint32_t*)(_mur_data+(_mur_nblocks*4)); \
int _mur_i; \
for (_mur_i = -_mur_nblocks; _mur_i != 0; _mur_i++) { \
_mur_k1 = MUR_GETBLOCK(_mur_blocks,_mur_i); \
_mur_k1 *= _mur_c1; \
_mur_k1 = MUR_ROTL32(_mur_k1,15); \
_mur_k1 *= _mur_c2; \
\
_mur_h1 ^= _mur_k1; \
_mur_h1 = MUR_ROTL32(_mur_h1,13); \
_mur_h1 = (_mur_h1*5U) + 0xe6546b64u; \
} \
_mur_tail = (const uint8_t*)(_mur_data + (_mur_nblocks*4)); \
_mur_k1=0; \
switch ((keylen) & 3U) { \
case 0: break; \
case 3: _mur_k1 ^= (uint32_t)_mur_tail[2] << 16; /* FALLTHROUGH */ \
case 2: _mur_k1 ^= (uint32_t)_mur_tail[1] << 8; /* FALLTHROUGH */ \
case 1: _mur_k1 ^= (uint32_t)_mur_tail[0]; \
_mur_k1 *= _mur_c1; \
_mur_k1 = MUR_ROTL32(_mur_k1,15); \
_mur_k1 *= _mur_c2; \
_mur_h1 ^= _mur_k1; \
} \
_mur_h1 ^= (uint32_t)(keylen); \
MUR_FMIX(_mur_h1); \
hashv = _mur_h1; \
} while (0)
#endif /* HASH_USING_NO_STRICT_ALIASING */
/* iterate over items in a known bucket to find desired item */
#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \
do { \
@ -824,7 +750,7 @@ do {
} \
while ((out) != NULL) { \
if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \
if (uthash_memcmp((out)->hh.key, keyptr, keylen_in) == 0) { \
if (HASH_KEYCMP((out)->hh.key, keyptr, keylen_in) == 0) { \
break; \
} \
} \
@ -910,12 +836,12 @@ do {
struct UT_hash_handle *_he_thh, *_he_hh_nxt; \
UT_hash_bucket *_he_new_buckets, *_he_newbkt; \
_he_new_buckets = (UT_hash_bucket*)uthash_malloc( \
2UL * (tbl)->num_buckets * sizeof(struct UT_hash_bucket)); \
sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \
if (!_he_new_buckets) { \
HASH_RECORD_OOM(oomed); \
} else { \
uthash_bzero(_he_new_buckets, \
2UL * (tbl)->num_buckets * sizeof(struct UT_hash_bucket)); \
sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \
(tbl)->ideal_chain_maxlen = \
((tbl)->num_items >> ((tbl)->log2_num_buckets+1U)) + \
((((tbl)->num_items & (((tbl)->num_buckets*2U)-1U)) != 0U) ? 1U : 0U); \
@ -928,7 +854,9 @@ do {
_he_newbkt = &(_he_new_buckets[_he_bkt]); \
if (++(_he_newbkt->count) > (tbl)->ideal_chain_maxlen) { \
(tbl)->nonideal_items++; \
_he_newbkt->expand_mult = _he_newbkt->count / (tbl)->ideal_chain_maxlen; \
if (_he_newbkt->count > _he_newbkt->expand_mult * (tbl)->ideal_chain_maxlen) { \
_he_newbkt->expand_mult++; \
} \
} \
_he_thh->hh_prev = NULL; \
_he_thh->hh_next = _he_newbkt->hh_head; \
@ -1061,7 +989,7 @@ do {
_elt = ELMT_FROM_HH((src)->hh_src.tbl, _src_hh); \
if (cond(_elt)) { \
IF_HASH_NONFATAL_OOM( int _hs_oomed = 0; ) \
_dst_hh = (UT_hash_handle*)(((char*)_elt) + _dst_hho); \
_dst_hh = (UT_hash_handle*)(void*)(((char*)_elt) + _dst_hho); \
_dst_hh->key = _src_hh->key; \
_dst_hh->keylen = _src_hh->keylen; \
_dst_hh->hashv = _src_hh->hashv; \
@ -1200,7 +1128,7 @@ typedef struct UT_hash_handle {
void *next; /* next element in app order */
struct UT_hash_handle *hh_prev; /* previous hh in bucket order */
struct UT_hash_handle *hh_next; /* next hh in bucket order */
void *key; /* ptr to enclosing struct's key */
const void *key; /* ptr to enclosing struct's key */
unsigned keylen; /* enclosing struct's key len */
unsigned hashv; /* result of hash-fcn(key) */
} UT_hash_handle;