diff --git a/backend/binsrc/classes/nfqueue.cpp b/backend/binsrc/classes/nfqueue.cpp index 02de950..cb9eccb 100644 --- a/backend/binsrc/classes/nfqueue.cpp +++ b/backend/binsrc/classes/nfqueue.cpp @@ -134,7 +134,8 @@ class PktRequest { l4_proto = fill_l4_info(); #ifdef DEBUG if (tcp){ - cerr << "[DEBUG] NEW_PACKET " << (is_input?"-> IN ":"<- OUT") << " [SEQ: " << tcp->seq() << "] \t[ACK: " << tcp->ack_seq() << "] \t[SIZE: " << data_size() << "]" << endl; + cerr << "[DEBUG] NEW_PACKET " << (is_input?"-> IN ":"<- OUT") << " [SIZE: " << data_size() << "] FLAGS: " << (tcp->get_flag(Tins::TCP::FIN)?"FIN ":"") << (tcp->get_flag(Tins::TCP::SYN)?"SYN ":"") << (tcp->get_flag(Tins::TCP::RST)?"RST ":"") << (tcp->get_flag(Tins::TCP::ACK)?"ACK ":"") << (tcp->get_flag(Tins::TCP::PSH)?"PSH ":"") << endl; + cerr << "[SEQ: " << tcp->seq() << "] [ACK: " << tcp->ack_seq() << "]" << " [WIN: " << tcp->window() << "] [FLAGS: " << tcp->flags() << "]\n" << endl; } #endif } @@ -237,7 +238,8 @@ class PktRequest { } #ifdef DEBUG size_t new_size = inner_data_size(tcp); - cerr << "[DEBUG] FIXED PKT " << (is_input?"-> IN ":"<- OUT") << " [SEQ: " << tcp->seq() << "] \t[ACK: " << tcp->ack_seq() << "] \t[SIZE: " << new_size << "]" << endl; + cerr << "[DEBUG] FIXED PKT " << (is_input?"-> IN ":"<- OUT") << " [SIZE: " << data_size() << "] FLAGS: " << (tcp->get_flag(Tins::TCP::FIN)?"FIN ":"") << (tcp->get_flag(Tins::TCP::SYN)?"SYN ":"") << (tcp->get_flag(Tins::TCP::RST)?"RST ":"") << (tcp->get_flag(Tins::TCP::ACK)?"ACK ":"") << (tcp->get_flag(Tins::TCP::PSH)?"PSH ":"") << endl; + cerr << "[SEQ: " << tcp->seq() << "] [ACK: " << tcp->ack_seq() << "]" << " [WIN: " << tcp->window() << "] [FLAGS: " << tcp->flags() << "]\n" << endl; #endif } @@ -360,7 +362,10 @@ class PktRequest { } nfq_nlmsg_verdict_put_pkt(nlh_verdict, packet.data(), packet.size()); #ifdef DEBUG - cerr << "[DEBUG] MANGLEDPKT " << (is_input?"-> IN ":"<- OUT") << " [SIZE: " << packet.size()-header_size() << "]" << endl; + if (tcp){ + cerr << "[DEBUG] MANGLEDPKT " << (is_input?"-> IN ":"<- OUT") << " [SIZE: " << data_size() << "] FLAGS: " << (tcp->get_flag(Tins::TCP::FIN)?"FIN ":"") << (tcp->get_flag(Tins::TCP::SYN)?"SYN ":"") << (tcp->get_flag(Tins::TCP::RST)?"RST ":"") << (tcp->get_flag(Tins::TCP::ACK)?"ACK ":"") << (tcp->get_flag(Tins::TCP::PSH)?"PSH ":"") << endl; + cerr << "[SEQ: " << tcp->seq() << "] [ACK: " << tcp->ack_seq() << "]" << " [WIN: " << tcp->window() << "] [FLAGS: " << tcp->flags() << "]\n" << endl; + } #endif if (tcp && ack_seq_offset && packet.size() != _original_size){ if (is_input){ diff --git a/backend/modules/nfproxy/nftables.py b/backend/modules/nfproxy/nftables.py index 5bb1050..046d98d 100644 --- a/backend/modules/nfproxy/nftables.py +++ b/backend/modules/nfproxy/nftables.py @@ -34,7 +34,7 @@ class FiregexTables(NFTableManager): "name":self.input_chain, "type":"filter", "hook":"prerouting", - "prio":-301, + "prio":-310, "policy":"accept" }}}, {"add":{"chain":{ #Output chain attached after conntrack saw it @@ -43,7 +43,7 @@ class FiregexTables(NFTableManager): "name":self.output_chain, "type":"filter", "hook":"postrouting", - "prio":-290, + "prio":-310, "policy":"accept" }}} ],[ diff --git a/fgex-lib/firegex/nfproxy/internals/data.py b/fgex-lib/firegex/nfproxy/internals/data.py index c9940ed..ce5062c 100644 --- a/fgex-lib/firegex/nfproxy/internals/data.py +++ b/fgex-lib/firegex/nfproxy/internals/data.py @@ -56,8 +56,7 @@ class RawPacket: raise Exception("Invalid data type, data MUST be of type bytes") #if len(v) != self.__l4_size: # raise Exception("Invalid data size, must be equal to the original packet header size (due to a technical limitation)") - self.__raw_packet = self.__raw_packet[:self.raw_packet_header_len]+v - self.__l4_size = len(v) + self.raw_packet = self.__raw_packet[:self.raw_packet_header_len]+v @property def raw_packet(self) -> bytes: @@ -67,6 +66,8 @@ class RawPacket: def raw_packet(self, v:bytes): if not isinstance(v, bytes): raise Exception("Invalid data type, data MUST be of type bytes") + if len(v) > 2**16: + raise Exception("Invalid data size, must be less than 2^16 bytes") #if len(v) != len(self.__raw_packet): # raise Exception("Invalid data size, must be equal to the original packet size (due to a technical limitation)") if len(v) < self.raw_packet_header_len: