Compare commits

...

12 Commits

Author SHA1 Message Date
Matt
b1748a2fd8 Merge b6c6813d41 into 4623f878e0 2024-06-10 19:17:55 -04:00
yancey
4623f878e0 fix cipher bug 2024-06-10 05:22:12 -04:00
Matt
b6c6813d41 make mingw_cross 2024-04-03 12:44:50 +08:00
mxmkeep
9045264d37 tcp spa: optimize check logic 2024-03-27 22:44:50 +08:00
root
4e6e1e6a97 support TCP SPA feature 2024-03-22 00:51:09 +08:00
Yancey Wang
e42f0e5732 Update README.md 2023-11-15 15:15:46 -05:00
yancey
f49e6adedf remove Dockerfile 2023-11-06 03:19:46 -05:00
yancey
d1a9bcc4fb try to fix linux 6.5 compile 2023-10-07 08:26:10 -04:00
Yancey Wang
bc8bd8c2f8 Merge pull request #475 from gek64/unified
Fix compile errors on FreeBSD/pfSense/OPNsense
2023-09-21 16:35:45 -04:00
gek64
ca16c3a5e6 Merge branch 'wangyu-:unified' into unified 2023-07-27 21:10:28 +08:00
Yancey Wang
7abe19c7d9 Merge pull request #482 from wangyu-/revert-455-unified
Revert "fix CMakeLists.txt"
2023-07-22 17:31:10 -04:00
gek64
ec416515f3 Fix compile errors on freebsd 2023-06-14 16:26:10 +08:00
10 changed files with 88 additions and 23 deletions

View File

@@ -1,13 +0,0 @@
FROM alpine:3.6 as builder
WORKDIR /
RUN apk add --no-cache git build-base linux-headers && \
git clone https://github.com/wangyu-/udp2raw-tunnel.git && \
cd udp2raw-tunnel && \
make dynamic
FROM alpine:3.6
RUN apk add --no-cache libstdc++ iptables
COPY --from=builder /udp2raw-tunnel/udp2raw_dynamic /bin/
ENTRYPOINT [ "/bin/udp2raw_dynamic" ]

View File

@@ -81,7 +81,7 @@ Assume your UDP is blocked or being QOS-ed or just poorly supported. Assume your
Now,an encrypted raw tunnel has been established between client and server through TCP port 4096. Connecting to UDP port 3333 at the client side is equivalent to connecting to port 7777 at the server side. No UDP traffic will be exposed. Now,an encrypted raw tunnel has been established between client and server through TCP port 4096. Connecting to UDP port 3333 at the client side is equivalent to connecting to port 7777 at the server side. No UDP traffic will be exposed.
### Note ### Note
To run on Android, check [Android_Guide](/doc/android_guide.md) To run on Android, check [Android_Guide](https://github.com/wangyu-/udp2raw/wiki/Android-Guide)
`-a` option automatically adds an iptables rule (or a few iptables rules) for you, udp2raw relies on this iptables rule to work stably. Be aware you dont forget `-a` (its a common mistake). If you dont want udp2raw to add iptables rule automatically, you can add it manually(take a look at `-g` option) and omit `-a`. `-a` option automatically adds an iptables rule (or a few iptables rules) for you, udp2raw relies on this iptables rule to work stably. Be aware you dont forget `-a` (its a common mistake). If you dont want udp2raw to add iptables rule automatically, you can add it manually(take a look at `-g` option) and omit `-a`.

View File

@@ -163,6 +163,8 @@ extern int force_socket_buf;
extern int g_fix_gro; extern int g_fix_gro;
extern int g_tcp_spa;
/* /*
struct ip_port_t struct ip_port_t
{ {

View File

@@ -435,7 +435,7 @@ int send_safer(conn_info_t &conn_info, char type, const char *data, int len) //
if (cipher_mode == cipher_xor) { if (cipher_mode == cipher_xor) {
send_data_buf2[0] ^= gro_xor[0]; send_data_buf2[0] ^= gro_xor[0];
send_data_buf2[1] ^= gro_xor[1]; send_data_buf2[1] ^= gro_xor[1];
} else if (cipher_mode == cipher_aes128cbc || cipher_mode == cipher_aes128cbc) { } else if (cipher_mode == cipher_aes128cbc || cipher_mode == cipher_aes128cfb) {
aes_ecb_encrypt1(send_data_buf2); aes_ecb_encrypt1(send_data_buf2);
} }
} }
@@ -586,7 +586,7 @@ int recv_safer_multi(conn_info_t &conn_info, vector<char> &type_arr, vector<stri
if (cipher_mode == cipher_xor) { if (cipher_mode == cipher_xor) {
recv_data[0] ^= gro_xor[0]; recv_data[0] ^= gro_xor[0];
recv_data[1] ^= gro_xor[1]; recv_data[1] ^= gro_xor[1];
} else if (cipher_mode == cipher_aes128cbc || cipher_mode == cipher_aes128cbc) { } else if (cipher_mode == cipher_aes128cbc || cipher_mode == cipher_aes128cfb) {
aes_ecb_decrypt1(recv_data); aes_ecb_decrypt1(recv_data);
} }
single_len = read_u16(recv_data); single_len = read_u16(recv_data);

1
git_version.h Normal file
View File

@@ -0,0 +1 @@
const char *gitversion = "e42f0e573221c5e0146c02fd5d71f32aa93c7221";

View File

@@ -103,7 +103,7 @@ linux:git_version
${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -lrt -ggdb -static -O2 ${MP} ${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -lrt -ggdb -static -O2 ${MP}
freebsd:git_version freebsd:git_version
${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -lrt -ggdb -static -O2 ${MP} ${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -lrt -ggdb -static -libverbs -O2 ${MP}
mac:git_version mac:git_version
${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -ggdb -O2 ${MP} ${cc_local} -o ${NAME}_$@ -I. ${SOURCES} ${PCAP} ${FLAGS} -ggdb -O2 ${MP}

View File

@@ -148,7 +148,9 @@ void print_help() {
printf(" --disable-anti-replay disable anti-replay,not suggested\n"); printf(" --disable-anti-replay disable anti-replay,not suggested\n");
printf(" --fix-gro try to fix huge packet caused by GRO. this option is at an early stage.\n"); printf(" --fix-gro try to fix huge packet caused by GRO. this option is at an early stage.\n");
printf(" make sure client and server are at same version.\n"); printf(" make sure client and server are at same version.\n");
printf(" --tcp-spa TCP SPA mode to avoid port scanning.\n");
printf(" when enable on server mode, will check SYN's option.\n");
// printf("\n"); // printf("\n");
printf("client options:\n"); printf("client options:\n");
printf(" --source-ip <ip> force source-ip for raw socket\n"); printf(" --source-ip <ip> force source-ip for raw socket\n");
@@ -296,6 +298,7 @@ void process_arg(int argc, char *argv[]) // process all options
{"no-pcap-mutex", no_argument, 0, 1}, {"no-pcap-mutex", no_argument, 0, 1},
#endif #endif
{"fix-gro", no_argument, 0, 1}, {"fix-gro", no_argument, 0, 1},
{"tcp-spa", no_argument, 0, 1},
{NULL, 0, 0, 0}}; {NULL, 0, 0, 0}};
process_log_level(argc, argv); process_log_level(argc, argv);
@@ -677,6 +680,9 @@ void process_arg(int argc, char *argv[]) // process all options
} else if (strcmp(long_options[option_index].name, "fix-gro") == 0) { } else if (strcmp(long_options[option_index].name, "fix-gro") == 0) {
mylog(log_info, "--fix-gro enabled\n"); mylog(log_info, "--fix-gro enabled\n");
g_fix_gro = 1; g_fix_gro = 1;
} else if (strcmp(long_options[option_index].name, "tcp-spa") == 0) {
mylog(log_info, "--tcp-spa enabled\n");
g_tcp_spa = 1;
} else { } else {
mylog(log_warn, "ignored unknown long option ,option_index:%d code:<%x>\n", option_index, optopt); mylog(log_warn, "ignored unknown long option ,option_index:%d code:<%x>\n", option_index, optopt);
} }

View File

@@ -259,6 +259,40 @@ tcpdump -i eth1 ip and icmp -dd
*/ */
#endif #endif
//tcp option for SPA
int g_tcp_spa = 0;
typedef struct tcpopt_data {
uint8_t opcode;
uint8_t opsize;
uint16_t reserve;
uint32_t csum;
}tcpopt_data_t;
#define TCPOPT_SPA 233
#define HASH_PRIME 16777619
#define HASH_OFFSET 2166136261U
//FNV-1a from GPT
uint32_t checksum(uint32_t timestamp, const char* key) {
uint32_t hash = HASH_OFFSET;
const char* ptr = key;
size_t key_len = strlen(key);
for (size_t i = 0; i < key_len; i++) {
hash ^= (uint32_t)ptr[i];
hash *= HASH_PRIME;
}
for (uint32_t i = 0; i < sizeof(uint32_t); i++) {
hash ^= (uint32_t)(timestamp & 0xFF);
hash *= HASH_PRIME;
timestamp >>= 8;
}
return hash;
}
//--------------
packet_info_t::packet_info_t() { packet_info_t::packet_info_t() {
src_port = 0; src_port = 0;
dst_port = 0; dst_port = 0;
@@ -702,7 +736,7 @@ void init_filter(int port) {
} }
} }
int dummy; int dummy=0;
int ret = setsockopt(raw_recv_fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy)); // in case i forgot to remove int ret = setsockopt(raw_recv_fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy)); // in case i forgot to remove
if (ret != 0) { if (ret != 0) {
@@ -841,7 +875,7 @@ void init_filter(int port) {
void remove_filter() { void remove_filter() {
filter_port = 0; filter_port = 0;
#ifdef UDP2RAW_LINUX #ifdef UDP2RAW_LINUX
int dummy; int dummy=0;
int ret = setsockopt(raw_recv_fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy)); int ret = setsockopt(raw_recv_fd, SOL_SOCKET, SO_DETACH_FILTER, &dummy, sizeof(dummy));
if (ret != 0) { if (ret != 0) {
mylog(log_debug, "error remove fiter\n"); mylog(log_debug, "error remove fiter\n");
@@ -1679,6 +1713,16 @@ int send_raw_tcp(raw_info_t &raw_info, const char *payload, int payloadlen) { /
send_raw_tcp_buf[i++] = 0x03; send_raw_tcp_buf[i++] = 0x03;
send_raw_tcp_buf[i++] = 0x03; send_raw_tcp_buf[i++] = 0x03;
send_raw_tcp_buf[i++] = wscale; send_raw_tcp_buf[i++] = wscale;
if(g_tcp_spa && tcph->ack == 0) {
tcph->doff = 12;
tcpopt_data_t opt = {TCPOPT_SPA, sizeof(tcpopt_data_t), 0, 0};
uint32_t csum = checksum(ts, key_string);
opt.csum = htonl(csum);
memcpy(&send_raw_tcp_buf[i], &opt, opt.opsize);
i += opt.opsize;
}
} else { } else {
tcph->doff = 8; tcph->doff = 8;
int i = sizeof(my_tcphdr); int i = sizeof(my_tcphdr);
@@ -2113,6 +2157,8 @@ int parse_tcp_option(char *option_begin, char *option_end, packet_info_t &recv_i
recv_info.has_ts = 0; recv_info.has_ts = 0;
recv_info.ts = 0; recv_info.ts = 0;
tcpopt_data_t *opt = NULL;
char *ptr = option_begin; char *ptr = option_begin;
// char *option_end=tcp_begin+tcp_hdr_len; // char *option_end=tcp_begin+tcp_hdr_len;
while (ptr < option_end) { while (ptr < option_end) {
@@ -2143,6 +2189,14 @@ int parse_tcp_option(char *option_begin, char *option_end, packet_info_t &recv_i
// return 0;//we currently only parse ts, so just return after its found // return 0;//we currently only parse ts, so just return after its found
ptr += 10; ptr += 10;
} else if (recv_info.syn == 1 && recv_info.ack == 0
&& g_tcp_spa && (unsigned char)*ptr == TCPOPT_SPA) {
if (ptr + sizeof(tcpopt_data_t) > option_end) {
mylog(log_trace, "ptr+8>option_end for TCPOPT_SPA\n");
return -2;
}
opt = (tcpopt_data_t*)ptr;
ptr += sizeof(tcpopt_data_t);
} else { } else {
if (ptr + 1 >= option_end) { if (ptr + 1 >= option_end) {
mylog(log_trace, "invaild option ptr+1==option_end\n"); mylog(log_trace, "invaild option ptr+1==option_end\n");
@@ -2160,7 +2214,18 @@ int parse_tcp_option(char *option_begin, char *option_end, packet_info_t &recv_i
// printf("!"); // printf("!");
} }
// printf("\n"); // printf("\n");
if(recv_info.syn == 1 && recv_info.ack == 0 && g_tcp_spa) {
if(opt == NULL) {
mylog(log_trace, "No found spa opt, pkt drop\n");
return -2;
}
uint32_t csum = checksum(htonl(recv_info.ts), key_string);
if(opt->csum != htonl(csum)){
mylog(log_trace, "SPA csum match failed\n");
return -2;
}
}
return 0; return 0;
} }
int recv_raw_tcp(raw_info_t &raw_info, char *&payload, int &payloadlen) { int recv_raw_tcp(raw_info_t &raw_info, char *&payload, int &payloadlen) {
@@ -2294,7 +2359,8 @@ int recv_raw_tcp(raw_info_t &raw_info, char *&payload, int &payloadlen) {
} }
printf("<%d %d>\n",recv_info.ts,recv_info.ts_ack); printf("<%d %d>\n",recv_info.ts,recv_info.ts_ack);
*/ */
parse_tcp_option(tcp_option, option_end, recv_info);
//parse_tcp_option(tcp_option, option_end, recv_info);
recv_info.ack = tcph->ack; recv_info.ack = tcph->ack;
recv_info.syn = tcph->syn; recv_info.syn = tcph->syn;
@@ -2304,6 +2370,9 @@ int recv_raw_tcp(raw_info_t &raw_info, char *&payload, int &payloadlen) {
recv_info.seq = ntohl(tcph->seq); recv_info.seq = ntohl(tcph->seq);
if(-2 == parse_tcp_option(tcp_option, option_end, recv_info))
return -1;
// recv_info.last_last_ack_seq=recv_info.last_ack_seq; // recv_info.last_last_ack_seq=recv_info.last_ack_seq;
// recv_info.last_ack_seq=recv_info.ack_seq; // recv_info.last_ack_seq=recv_info.ack_seq;
u32_t last_ack_seq = recv_info.ack_seq; u32_t last_ack_seq = recv_info.ack_seq;

View File

@@ -226,12 +226,12 @@ struct packet_info_t // todo change this to union
bool has_ts; bool has_ts;
i32_t data_len;
#ifdef UDP2RAW_LINUX #ifdef UDP2RAW_LINUX
sockaddr_ll addr_ll; sockaddr_ll addr_ll;
#endif #endif
i32_t data_len;
packet_info_t(); packet_info_t();
}; };

BIN
udp2raw Executable file

Binary file not shown.