fix: Update firewall rules

Author: MikeWang000000

src/ipv4ipt.c

@@ -89,7 +89,7 @@ static int ipt4_iface_setup(void)
 int fh_ipt4_setup(void)
 {
     char xmark_str[64], nfqnum_str[32];
-    size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
+    size_t i, ipt_cmds_cnt;
     int res;
     char *ipt_cmds[][32] = {
         {"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP_S", NULL},
@@ -161,13 +161,6 @@ int fh_ipt4_setup(void)
         /*
             exclude marked packets
         */
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
-         "--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
-         NULL},
-
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m",
-         "connmark", "--mark", xmark_str, "-j", "MARK", "--set-xmark",
-         xmark_str, NULL},
 
         {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
          "--mark", xmark_str, "-j", "RETURN", NULL},
@@ -179,22 +172,10 @@ int fh_ipt4_setup(void)
          "--tcp-flags", "SYN,FIN,RST", "SYN", "-j", "NFQUEUE",
          "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
 
-    char *ipt_opt_cmds[][32] = {
-        /*
-            exclude packets from connections with more than 32 packets
-        */
-        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m",
-         "connbytes", "!", "--connbytes", "0:32", "--connbytes-dir", "both",
-         "--connbytes-mode", "packets", "-j", "RETURN", NULL},
-
-        /*
-            exclude big packets
-        */
-        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m", "length",
-         "!", "--length", "0:120", "-j", "RETURN", NULL}};
+    E("ERROR: iptables rules is under development, please use nft.");
+    return -1;
 
     ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
-    ipt_opt_cmds_cnt = sizeof(ipt_opt_cmds) / sizeof(*ipt_opt_cmds);
 
     res = snprintf(xmark_str, sizeof(xmark_str), "%" PRIu32 "/%" PRIu32,
                    g_ctx.fwmark, g_ctx.fwmask);
@@ -219,10 +200,6 @@ int fh_ipt4_setup(void)
         }
     }
 
-    for (i = 0; i < ipt_opt_cmds_cnt; i++) {
-        fh_execute_command(ipt_opt_cmds[i], 1, NULL);
-    }
-
     res = ipt4_iface_setup();
     if (res < 0) {
         E(T(ipt4_iface_setup));

src/ipv4nft.c

@@ -41,12 +41,24 @@ static int nft4_iface_setup(void)
             E("ERROR: snprintf(): %s", "failure");
             return -1;
         }
+        res = fh_execute_command(nft_iface_cmd, 0, NULL);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
 
+        res = snprintf(nftstr, sizeof(nftstr),
+                       "add rule ip fakehttp fh_postrouting jump fh_rules");
+        if (res < 0 || (size_t) res >= sizeof(nftstr)) {
+            E("ERROR: snprintf(): %s", "failure");
+            return -1;
+        }
         res = fh_execute_command(nft_iface_cmd, 0, NULL);
         if (res < 0) {
             E(T(fh_execute_command));
             return -1;
         }
+
         return 0;
     }
 
@@ -85,7 +97,6 @@ static int nft4_iface_setup(void)
 
 int fh_nft4_setup(void)
 {
-    size_t i, nft_opt_cmds_cnt;
     int res;
     char *nft_cmd[] = {"nft", "-f", "-", NULL};
     char nft_conf_buff[2048];
@@ -95,7 +106,7 @@ int fh_nft4_setup(void)
         "        type filter hook prerouting priority mangle - 5;\n"
         "        policy accept;\n"
         /*
-            exclude local IPs
+            exclude local IPs (from source)
         */
         "        ip saddr 0.0.0.0/8      return;\n"
         "        ip saddr 10.0.0.0/8     return;\n"
@@ -108,10 +119,10 @@ int fh_nft4_setup(void)
         "    }\n"
         "\n"
         "    chain fh_postrouting {\n"
-        "        type filter hook postrouting priority mangle - 5;\n"
+        "        type filter hook postrouting priority srcnat + 5;\n"
         "        policy accept;\n"
         /*
-            exclude local IPs
+            exclude local IPs (to destination)
         */
         "        ip daddr 0.0.0.0/8      return;\n"
         "        ip daddr 10.0.0.0/8     return;\n"
@@ -128,12 +139,6 @@ int fh_nft4_setup(void)
         /*
             exclude marked packets
         */
-        "        meta mark and %" PRIu32 " == %" PRIu32
-        " ct mark set ct mark and %" PRIu32 " xor %" PRIu32 ";\n"
-
-        "        ct mark and %" PRIu32 " == %" PRIu32
-        " meta mark set mark and %" PRIu32 " xor %" PRIu32 ";\n"
-
         "        meta mark and %" PRIu32 " == %" PRIu32 " return;\n"
 
         /*
@@ -145,24 +150,7 @@ int fh_nft4_setup(void)
         "    }\n"
         "}\n";
 
-    char *nft_opt_cmds[][32] = {
-        /*
-            exclude packets from connections with more than 32 packets
-        */
-        {"nft", "insert rule ip fakehttp fh_rules ct packets > 32 return",
-         NULL},
-
-        /*
-            exclude big packets
-        */
-        {"nft", "insert rule ip fakehttp fh_rules meta length > 120 return",
-         NULL}};
-
-    nft_opt_cmds_cnt = sizeof(nft_opt_cmds) / sizeof(*nft_opt_cmds);
-
     res = snprintf(nft_conf_buff, sizeof(nft_conf_buff), nft_conf_fmt,
-                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
-                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
                    g_ctx.fwmask, g_ctx.fwmark, g_ctx.nfqnum);
     if (res < 0 || (size_t) res >= sizeof(nft_conf_buff)) {
         E("ERROR: snprintf(): %s", "failure");
@@ -177,10 +165,6 @@ int fh_nft4_setup(void)
         return -1;
     }
 
-    for (i = 0; i < nft_opt_cmds_cnt; i++) {
-        fh_execute_command(nft_opt_cmds[i], 1, NULL);
-    }
-
     res = nft4_iface_setup();
     if (res < 0) {
         E(T(nft4_iface_setup));

src/ipv6ipt.c

@@ -89,7 +89,7 @@ static int ipt6_iface_setup(void)
 int fh_ipt6_setup(void)
 {
     char xmark_str[64], nfqnum_str[32];
-    size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
+    size_t i, ipt_cmds_cnt;
     int res;
     char *ipt_cmds[][32] = {
         {"ip6tables", "-w", "-t", "mangle", "-N", "FAKEHTTP_S", NULL},
@@ -128,7 +128,6 @@ int fh_ipt6_setup(void)
         {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP_S", "-s",
          "fe80::/10", "-j", "RETURN", NULL},
 
-
         /*
             exclude special IPv6 addresses (to destination)
         */
@@ -156,14 +155,6 @@ int fh_ipt6_setup(void)
         /*
             exclude marked packets
         */
-        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
-         "--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
-         NULL},
-
-        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m",
-         "connmark", "--mark", xmark_str, "-j", "MARK", "--set-xmark",
-         xmark_str, NULL},
-
         {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
          "--mark", xmark_str, "-j", "RETURN", NULL},
 
@@ -174,22 +165,10 @@ int fh_ipt6_setup(void)
          "--tcp-flags", "SYN,FIN,RST", "SYN", "-j", "NFQUEUE",
          "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
 
-    char *ipt_opt_cmds[][32] = {
-        /*
-            exclude packets from connections with more than 32 packets
-        */
-        {"ip6tables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m",
-         "connbytes", "!", "--connbytes", "0:32", "--connbytes-dir", "both",
-         "--connbytes-mode", "packets", "-j", "RETURN", NULL},
-
-        /*
-            exclude big packets
-        */
-        {"ip6tables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m", "length",
-         "!", "--length", "0:120", "-j", "RETURN", NULL}};
+    E("ERROR: iptables rules is under development, please use nft.");
+    return -1;
 
     ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
-    ipt_opt_cmds_cnt = sizeof(ipt_opt_cmds) / sizeof(*ipt_opt_cmds);
 
     res = snprintf(xmark_str, sizeof(xmark_str), "%" PRIu32 "/%" PRIu32,
                    g_ctx.fwmark, g_ctx.fwmask);
@@ -214,10 +193,6 @@ int fh_ipt6_setup(void)
         }
     }
 
-    for (i = 0; i < ipt_opt_cmds_cnt; i++) {
-        fh_execute_command(ipt_opt_cmds[i], 1, NULL);
-    }
-
     res = ipt6_iface_setup();
     if (res < 0) {
         E(T(ipt6_iface_setup));

src/ipv6nft.c

@@ -41,12 +41,24 @@ static int nft6_iface_setup(void)
             E("ERROR: snprintf(): %s", "failure");
             return -1;
         }
+        res = fh_execute_command(nft_iface_cmd, 0, NULL);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
 
+        res = snprintf(nftstr, sizeof(nftstr),
+                       "add rule ip6 fakehttp fh_postrouting jump fh_rules");
+        if (res < 0 || (size_t) res >= sizeof(nftstr)) {
+            E("ERROR: snprintf(): %s", "failure");
+            return -1;
+        }
         res = fh_execute_command(nft_iface_cmd, 0, NULL);
         if (res < 0) {
             E(T(fh_execute_command));
             return -1;
         }
+
         return 0;
     }
 
@@ -85,7 +97,6 @@ static int nft6_iface_setup(void)
 
 int fh_nft6_setup(void)
 {
-    size_t i, nft_opt_cmds_cnt;
     int res;
     char *nft_cmd[] = {"nft", "-f", "-", NULL};
     char nft_conf_buff[2048];
@@ -95,7 +106,7 @@ int fh_nft6_setup(void)
         "        type filter hook prerouting priority mangle - 5;\n"
         "        policy accept;\n"
         /*
-            exclude special IPv6 addresses
+            exclude special IPv6 addresses (from source)
         */
         "        ip6 saddr ::/127         return;\n"
         "        ip6 saddr ::ffff:0:0/96  return;\n"
@@ -107,10 +118,10 @@ int fh_nft6_setup(void)
         "    }\n"
         "\n"
         "    chain fh_postrouting {\n"
-        "        type filter hook postrouting priority mangle - 5;\n"
+        "        type filter hook postrouting priority srcnat + 5;\n"
         "        policy accept;\n"
         /*
-            exclude special IPv6 addresses
+            exclude special IPv6 addresses (to destination)
         */
         "        ip6 daddr ::/127         return;\n"
         "        ip6 daddr ::ffff:0:0/96  return;\n"
@@ -126,12 +137,6 @@ int fh_nft6_setup(void)
         /*
             exclude marked packets
         */
-        "        meta mark and %" PRIu32 " == %" PRIu32
-        " ct mark set ct mark and %" PRIu32 " xor %" PRIu32 ";\n"
-
-        "        ct mark and %" PRIu32 " == %" PRIu32
-        " meta mark set mark and %" PRIu32 " xor %" PRIu32 ";\n"
-
         "        meta mark and %" PRIu32 " == %" PRIu32 " return;\n"
 
         /*
@@ -143,24 +148,7 @@ int fh_nft6_setup(void)
         "    }\n"
         "}\n";
 
-    char *nft_opt_cmds[][32] = {
-        /*
-            exclude packets from connections with more than 32 packets
-        */
-        {"nft", "insert rule ip6 fakehttp fh_rules ct packets > 32 return",
-         NULL},
-
-        /*
-            exclude big packets
-        */
-        {"nft", "insert rule ip6 fakehttp fh_rules meta length > 120 return",
-         NULL}};
-
-    nft_opt_cmds_cnt = sizeof(nft_opt_cmds) / sizeof(*nft_opt_cmds);
-
     res = snprintf(nft_conf_buff, sizeof(nft_conf_buff), nft_conf_fmt,
-                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
-                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
                    g_ctx.fwmask, g_ctx.fwmark, g_ctx.nfqnum);
     if (res < 0 || (size_t) res >= sizeof(nft_conf_buff)) {
         E("ERROR: snprintf(): %s", "failure");
@@ -175,10 +163,6 @@ int fh_nft6_setup(void)
         return -1;
     }
 
-    for (i = 0; i < nft_opt_cmds_cnt; i++) {
-        fh_execute_command(nft_opt_cmds[i], 1, NULL);
-    }
-
     res = nft6_iface_setup();
     if (res < 0) {
         E(T(nft6_iface_setup));

src/nfqueue.c

@@ -77,12 +77,12 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
     memset(&sll, 0, sizeof(sll));
     sll.sll_family = AF_PACKET;
     sll.sll_protocol = ph->hw_protocol;
-    if (iifindex) {
-        sll.sll_pkttype = PACKET_HOST;
-        sll.sll_ifindex = iifindex;
-    } else if (oifindex) {
+    if (oifindex) {
         sll.sll_pkttype = PACKET_OUTGOING;
         sll.sll_ifindex = oifindex;
+    } else if (iifindex) {
+        sll.sll_pkttype = PACKET_HOST;
+        sll.sll_ifindex = iifindex;
     } else {
         EE("ERROR: Failed to get interface index");
         goto ret_accept;
@@ -102,20 +102,13 @@ static int callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
     if (res < 0) {
         EE(T(fh_rawsend_handle));
         goto ret_accept;
-    } else if (res) {
-        goto ret_accept;
     }
 
     if (modified) {
-        return nfq_set_verdict2(qh, pkt_id, NF_REPEAT, g_ctx.fwmark, pkt_len,
-                                pkt_data);
+        return nfq_set_verdict(qh, pkt_id, NF_ACCEPT, pkt_len, pkt_data);
     }
-    return nfq_set_verdict2(qh, pkt_id, NF_REPEAT, g_ctx.fwmark, 0, NULL);
 
 ret_accept:
-    if (modified) {
-        return nfq_set_verdict(qh, pkt_id, NF_ACCEPT, pkt_len, pkt_data);
-    }
     return nfq_set_verdict(qh, pkt_id, NF_ACCEPT, 0, NULL);
 }
 

src/rawsend.c

@@ -401,7 +401,7 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
             return -1;
         }
 
-        return 1;
+        return 0;
     } else if (sll->sll_pkttype == PACKET_OUTGOING && tcph->syn) {
         if (!g_ctx.outbound) {
             E_INFO("%s:%u <===SYN(?)=== %s:%u", dst_ip, ntohs(tcph->dest),
@@ -418,10 +418,10 @@ int fh_rawsend_handle(struct sockaddr_ll *sll, uint8_t *pkt_data, int pkt_len,
                    ntohs(tcph->source));
         }
 
-        return 1;
+        return 0;
     } else {
         E_INFO("%s:%u ===(?)=== %s:%u", src_ip, ntohs(tcph->source), dst_ip,
                ntohs(tcph->dest));
-        return 1;
+        return 0;
     }
 }