diff --git a/backend/binsrc/classes/nfqueue.cpp b/backend/binsrc/classes/nfqueue.cpp index 04ee946..9a60271 100644 --- a/backend/binsrc/classes/nfqueue.cpp +++ b/backend/binsrc/classes/nfqueue.cpp @@ -295,7 +295,7 @@ class PktRequest { if (tcp){ //If the packet has data, we have to remove it set_data(nullptr, 0); - //For the first matched data or only for data packets, we set RST bit + //For the first matched data or only for data packets, we set FIN bit //This only for client packets, because this will trigger server to close the connection //Packets will be filtered anyway also if client don't send packets if (_data_original_size != 0){ @@ -585,4 +585,4 @@ uint32_t hash_stream_id(const stream_id &sid) { } }} -#endif // NFQUEUE_CLASS_CPP +#endif // NFQUEUE_CLASS_CPP \ No newline at end of file diff --git a/backend/modules/nfproxy/nftables.py b/backend/modules/nfproxy/nftables.py index 473e8cc..046d98d 100644 --- a/backend/modules/nfproxy/nftables.py +++ b/backend/modules/nfproxy/nftables.py @@ -10,8 +10,7 @@ def convert_protocol_to_l4(proto:str): raise Exception("Invalid protocol") class FiregexFilter: - def __init__(self, proto:str, port:int, ip_int:str, target:str, id:int, family:str): - self.family = family + def __init__(self, proto:str, port:int, ip_int:str, target:str, id:int): self.id = id self.target = target self.proto = proto @@ -29,30 +28,29 @@ class FiregexTables(NFTableManager): def __init__(self): super().__init__([ - - *[{"add":{"chain":{ #Input chain attached before conntrack see it - "family":fam, + {"add":{"chain":{ #Input chain attached before conntrack see it + "family":"inet", "table":self.table_name, "name":self.input_chain, "type":"filter", "hook":"prerouting", "prio":-310, "policy":"accept" - }}} for fam in ("inet", "bridge")], - *[{"add":{"chain":{ #Output chain attached after conntrack saw it - "family":fam, + }}}, + {"add":{"chain":{ #Output chain attached after conntrack saw it + "family":"inet", "table":self.table_name, "name":self.output_chain, "type":"filter", "hook":"postrouting", "prio":-310, "policy":"accept" - }}} for fam in ("inet", "bridge")], + }}} ],[ - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.input_chain}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.input_chain}}} for fam in ("inet", "bridge")], - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.output_chain}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.output_chain}}} for fam in ("inet", "bridge")], + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.input_chain}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.input_chain}}}, + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.output_chain}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.output_chain}}}, ]) def add(self, srv:Service, queue_range): @@ -65,8 +63,8 @@ class FiregexTables(NFTableManager): if init > end: init, end = end, init self.cmd( - *[{ "insert":{ "rule": { - "family": fam, + { "insert":{ "rule": { + "family": "inet", "table": self.table_name, "chain": self.output_chain, "expr": [ @@ -75,9 +73,9 @@ class FiregexTables(NFTableManager): {"mangle": {"key": {"meta": {"key": "mark"}},"value": 0x1338}}, {"queue": {"num": str(init) if init == end else {"range":[init, end] }, "flags": ["bypass"]}} ] - }}} for fam in ("inet", "bridge")], - *[{"insert":{"rule":{ - "family": fam, + }}}, + {"insert":{"rule":{ + "family": "inet", "table": self.table_name, "chain": self.input_chain, "expr": [ @@ -86,7 +84,7 @@ class FiregexTables(NFTableManager): {"mangle": {"key": {"meta": {"key": "mark"}},"value": 0x1337}}, {"queue": {"num": str(init) if init == end else {"range":[init, end] }, "flags": ["bypass"]}} ] - }}} for fam in ("inet", "bridge")] + }}} ) @@ -101,7 +99,6 @@ class FiregexTables(NFTableManager): res.append(FiregexFilter( target=filter["chain"], id=int(filter["handle"]), - family=filter["family"], proto=filter["expr"][1]["match"]["left"]["payload"]["protocol"], port=filter["expr"][1]["match"]["right"], ip_int=ip_int @@ -112,10 +109,9 @@ class FiregexTables(NFTableManager): for filter in self.get(): if filter.__eq__(srv): self.cmd({ "delete":{ "rule": { - "family": filter.family, - "table": self.table_name, - "chain": filter.target, - "handle": filter.id - }}} - ) + "family": "inet", + "table": self.table_name, + "chain": filter.target, + "handle": filter.id + }}}) \ No newline at end of file diff --git a/backend/modules/nfregex/nftables.py b/backend/modules/nfregex/nftables.py index fe8601d..c352226 100644 --- a/backend/modules/nfregex/nftables.py +++ b/backend/modules/nfregex/nftables.py @@ -2,8 +2,7 @@ from modules.nfregex.models import Service from utils import ip_parse, ip_family, NFTableManager, nftables_int_to_json class FiregexFilter: - def __init__(self, proto:str, port:int, ip_int:str, target:str, id:int, family:str): - self.family = family + def __init__(self, proto:str, port:int, ip_int:str, target:str, id:int): self.id = id self.target = target self.proto = proto @@ -21,29 +20,29 @@ class FiregexTables(NFTableManager): def __init__(self): super().__init__([ - *[{"add":{"chain":{ - "family":fam, + {"add":{"chain":{ + "family":"inet", "table":self.table_name, "name":self.input_chain, "type":"filter", "hook":"prerouting", "prio":-301, "policy":"accept" - }}} for fam in ("inet", "bridge")], - *[{"add":{"chain":{ - "family":fam, + }}}, + {"add":{"chain":{ + "family":"inet", "table":self.table_name, "name":self.output_chain, "type":"filter", "hook":"postrouting", "prio":-301, "policy":"accept" - }}} for fam in ("inet", "bridge")] + }}} ],[ - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.input_chain}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.input_chain}}} for fam in ("inet", "bridge")], - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.output_chain}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.output_chain}}} for fam in ("inet", "bridge")], + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.input_chain}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.input_chain}}}, + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.output_chain}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.output_chain}}}, ]) def add(self, srv:Service, queue_range): @@ -56,8 +55,8 @@ class FiregexTables(NFTableManager): if init > end: init, end = end, init self.cmd( - *[{ "insert":{ "rule": { - "family": fam, + { "insert":{ "rule": { + "family": "inet", "table": self.table_name, "chain": self.output_chain, "expr": [ @@ -66,9 +65,9 @@ class FiregexTables(NFTableManager): {"mangle": {"key": {"meta": {"key": "mark"}},"value": 0x1338}}, {"queue": {"num": str(init) if init == end else {"range":[init, end] }, "flags": ["bypass"]}} ] - }}} for fam in ("inet", "bridge")], - *[{"insert":{"rule":{ - "family": fam, + }}}, + {"insert":{"rule":{ + "family": "inet", "table": self.table_name, "chain": self.input_chain, "expr": [ @@ -77,7 +76,7 @@ class FiregexTables(NFTableManager): {"mangle": {"key": {"meta": {"key": "mark"}},"value": 0x1337}}, {"queue": {"num": str(init) if init == end else {"range":[init, end] }, "flags": ["bypass"]}} ] - }}} for fam in ("inet", "bridge")] + }}} ) @@ -92,7 +91,6 @@ class FiregexTables(NFTableManager): res.append(FiregexFilter( target=filter["chain"], id=int(filter["handle"]), - family=filter["family"], proto=filter["expr"][1]["match"]["left"]["payload"]["protocol"], port=filter["expr"][1]["match"]["right"], ip_int=ip_int @@ -103,7 +101,7 @@ class FiregexTables(NFTableManager): for filter in self.get(): if filter.__eq__(srv): self.cmd({ "delete":{ "rule": { - "family": filter.family, + "family": "inet", "table": self.table_name, "chain": filter.target, "handle": filter.id diff --git a/backend/modules/porthijack/nftables.py b/backend/modules/porthijack/nftables.py index fee2cd6..0590b2f 100644 --- a/backend/modules/porthijack/nftables.py +++ b/backend/modules/porthijack/nftables.py @@ -2,9 +2,8 @@ from modules.porthijack.models import Service from utils import addr_parse, ip_parse, ip_family, NFTableManager, nftables_json_to_int class FiregexHijackRule(): - def __init__(self, proto:str, public_port:int,proxy_port:int, ip_src:str, ip_dst:str, target:str, id:int, family:str): + def __init__(self, proto:str, public_port:int,proxy_port:int, ip_src:str, ip_dst:str, target:str, id:int): self.id = id - self.family = family self.target = target self.proto = proto self.public_port = public_port @@ -23,29 +22,29 @@ class FiregexTables(NFTableManager): def __init__(self): super().__init__([ - *[{"add":{"chain":{ - "family":fam, + {"add":{"chain":{ + "family":"inet", "table":self.table_name, "name":self.prerouting_porthijack, "type":"filter", "hook":"prerouting", "prio":-310, "policy":"accept" - }}} for fam in ("inet", "bridge")], - *[{"add":{"chain":{ - "family":fam, + }}}, + {"add":{"chain":{ + "family":"inet", "table":self.table_name, "name":self.postrouting_porthijack, "type":"filter", "hook":"postrouting", "prio":-310, "policy":"accept" - }}} for fam in ("inet", "bridge")] + }}} ],[ - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.prerouting_porthijack}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.prerouting_porthijack}}} for fam in ("inet", "bridge")], - *[{"flush":{"chain":{"table":self.table_name,"family":fam, "name":self.postrouting_porthijack}}} for fam in ("inet", "bridge")], - *[{"delete":{"chain":{"table":self.table_name,"family":fam, "name":self.postrouting_porthijack}}} for fam in ("inet", "bridge")] + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.prerouting_porthijack}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.prerouting_porthijack}}}, + {"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.postrouting_porthijack}}}, + {"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.postrouting_porthijack}}} ]) def add(self, srv:Service): @@ -54,8 +53,8 @@ class FiregexTables(NFTableManager): if ele.__eq__(srv): return - self.cmd(*[{ "insert":{ "rule": { - "family": fam, + self.cmd({ "insert":{ "rule": { + "family": "inet", "table": self.table_name, "chain": self.prerouting_porthijack, "expr": [ @@ -64,9 +63,9 @@ class FiregexTables(NFTableManager): {'mangle': {'key': {'payload': {'protocol': str(srv.proto), 'field': 'dport'}}, 'value': int(srv.proxy_port)}}, {'mangle': {'key': {'payload': {'protocol': ip_family(srv.ip_src), 'field': 'daddr'}}, 'value': addr_parse(srv.ip_dst)}} ] - }}} for fam in ("inet", "bridge")]) - self.cmd(*[{ "insert":{ "rule": { - "family": fam, + }}}) + self.cmd({ "insert":{ "rule": { + "family": "inet", "table": self.table_name, "chain": self.postrouting_porthijack, "expr": [ @@ -75,7 +74,7 @@ class FiregexTables(NFTableManager): {'mangle': {'key': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'value': int(srv.public_port)}}, {'mangle': {'key': {'payload': {'protocol': ip_family(srv.ip_dst), 'field': 'saddr'}}, 'value': addr_parse(srv.ip_src)}} ] - }}} for fam in ("inet", "bridge")]) + }}}) def get(self) -> list[FiregexHijackRule]: @@ -84,7 +83,6 @@ class FiregexTables(NFTableManager): res.append(FiregexHijackRule( target=filter["chain"], id=int(filter["handle"]), - family=filter["family"], proto=filter["expr"][1]["match"]["left"]["payload"]["protocol"], public_port=filter["expr"][1]["match"]["right"] if filter["chain"] == self.prerouting_porthijack else filter["expr"][2]["mangle"]["value"], proxy_port=filter["expr"][1]["match"]["right"] if filter["chain"] == self.postrouting_porthijack else filter["expr"][2]["mangle"]["value"], @@ -97,7 +95,7 @@ class FiregexTables(NFTableManager): for filter in self.get(): if filter.__eq__(srv): self.cmd({ "delete":{ "rule": { - "family": filter.family, + "family": "inet", "table": self.table_name, "chain": filter.target, "handle": filter.id diff --git a/backend/utils/__init__.py b/backend/utils/__init__.py index eeb6b1a..b18b80f 100644 --- a/backend/utils/__init__.py +++ b/backend/utils/__init__.py @@ -143,7 +143,7 @@ class NFTableManager(Singleton): def init(self): self.reset() - self.raw_cmd(*[{"add":{"table":{"name":self.table_name,"family":fam}}} for fam in ("inet", "bridge")]) + self.raw_cmd({"add":{"table":{"name":self.table_name,"family":"inet"}}}) self.cmd(*self.__init_cmds) def reset(self): diff --git a/frontend/src/components/NFProxy/utils.ts b/frontend/src/components/NFProxy/utils.ts index 3ce66de..8c53f1b 100644 --- a/frontend/src/components/NFProxy/utils.ts +++ b/frontend/src/components/NFProxy/utils.ts @@ -117,7 +117,7 @@ from firegex.nfproxy import pyfilter from firegex.nfproxy import REJECT, ACCEPT, UNSTABLE_MANGLE, DROP # - The filter must return one of the following values: # - ACCEPT: The packet will be accepted -# - REJECT: The packet will be rejected (will be activated a mechanism to send a RST packet and drop all data in the stream) +# - REJECT: The packet will be rejected (will be activated a mechanism to send a FIN packet and drop all data in the stream) # - UNSTABLE_MANGLE: The packet will be mangled and accepted # - DROP: All the packets in this stream will be easly dropped diff --git a/tests/utils/tcpserver.py b/tests/utils/tcpserver.py index 0483022..519ab5e 100644 --- a/tests/utils/tcpserver.py +++ b/tests/utils/tcpserver.py @@ -64,7 +64,7 @@ class TcpServer: def recv_packet(self): try: return self.client_sock.recv(4096) - except (TimeoutError, ConnectionResetError): + except TimeoutError: if self.verbose: traceback.print_exc() return False