feat: Implement IPv6 support

Author: MikeWang000000

include/globvar.h

@@ -25,7 +25,8 @@
 
 struct fh_context {
     int exit;
-    int sockfd;
+    int sock4fd;
+    int sock6fd;
     FILE *logfp;
 
     /* -d */ int daemon;

include/ipv6ipt.h

@@ -20,10 +20,8 @@
 #ifndef FH_IPV6IPT_H
 #define FH_IPV6IPT_H
 
-/* TODO: NOT IMPLEMENTED */
 int fh_ipt6_flush(int auto_create);
 
-/* TODO: NOT IMPLEMENTED */
 int fh_ipt6_add(void);
 
 #endif /* FH_IPV6IPT_H */

include/ipv6nft.h

@@ -20,10 +20,8 @@
 #ifndef FH_IPV6NFT_H
 #define FH_IPV6NFT_H
 
-/* TODO: NOT IMPLEMENTED */
 int fh_nft6_flush(int auto_create);
 
-/* TODO: NOT IMPLEMENTED */
 int fh_nft6_add(void);
 
 #endif /* FH_IPV6NFT_H */

include/ipv6pkt.h

@@ -24,12 +24,10 @@
 #include <stdlib.h>
 #include <netinet/tcp.h>
 
-/* TODO: NOT IMPLEMENTED */
 int fh_pkt6_parse(void *pkt_data, int pkt_len, struct sockaddr *saddr,
                   struct sockaddr *daddr, struct tcphdr **tcph_ptr,
                   int *tcp_payload_len);
 
-/* TODO: NOT IMPLEMENTED */
 int fh_pkt6_make(char *buffer, size_t buffer_size, struct sockaddr *saddr,
                  struct sockaddr *daddr, uint16_t sport_be, uint16_t dport_be,
                  uint32_t seq_be, uint32_t ackseq_be, int psh,

include/rawsock.h

@@ -20,7 +20,7 @@
 #ifndef FH_RAWSOCK_H
 #define FH_RAWSOCK_H
 
-int fh_rawsock_setup(void);
+int fh_rawsock_setup(int af);
 
 void fh_rawsock_cleanup(void);
 

src/globvar.c

@@ -24,7 +24,8 @@
 #include <stdio.h>
 
 struct fh_context g_ctx = {.exit = 0,
-                           .sockfd = -1,
+                           .sock4fd = -1,
+                           .sock6fd = -1,
                            .logfp = NULL,
 
                            /* -d */ .daemon = 0,

src/ipv4nft.c

@@ -30,7 +30,7 @@
 int fh_nft4_flush(int auto_create)
 {
     int res;
-    char *nft_flush_cmd[] = {"nft", "flush table fakehttp", NULL};
+    char *nft_flush_cmd[] = {"nft", "flush table ip fakehttp", NULL};
     char *nft_cmd[] = {"nft", "-f", "-", NULL};
     char *nft_create_conf =
         "table ip fakehttp {\n"

src/ipv6ipt.c

@@ -27,17 +27,139 @@
 #include "logging.h"
 #include "process.h"
 
-/* TODO: NOT IMPLEMENTED */
 int fh_ipt6_flush(int auto_create)
 {
-    (void) auto_create;
+    int res;
+    size_t i, cnt;
+    char *ipt_flush_cmd[] = {"ip6tables", "-w",       "-t", "mangle",
+                             "-F",        "FAKEHTTP", NULL};
+    char *ipt_create_cmds[][32] = {
+        {"ip6tables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
 
-    return -1;
+        {"ip6tables", "-w", "-t", "mangle", "-I", "INPUT", "-j", "FAKEHTTP",
+         NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-I", "FORWARD", "-j", "FAKEHTTP",
+         NULL}};
+
+    res = fh_execute_command(ipt_flush_cmd, 1, NULL);
+    if (res < 0) {
+        if (!auto_create) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+
+        cnt = sizeof(ipt_create_cmds) / sizeof(*ipt_create_cmds);
+        for (i = 0; i < cnt; i++) {
+            res = fh_execute_command(ipt_create_cmds[i], 0, NULL);
+            if (res < 0) {
+                E(T(fh_execute_command));
+                return -1;
+            }
+        }
+    }
+
+    return 0;
 }
 
 
-/* TODO: NOT IMPLEMENTED */
 int fh_ipt6_add(void)
 {
-    return -1;
+    char xmark_str[64], nfqnum_str[32], iface_str[32];
+    size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
+    int res;
+    char *ipt_cmds[][32] = {
+        /*
+            exclude marked packets
+        */
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "mark",
+         "--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
+         NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "connmark",
+         "--mark", xmark_str, "-j", "MARK", "--set-xmark", xmark_str, NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "mark",
+         "--mark", xmark_str, "-j", "RETURN", NULL},
+
+        /*
+            exclude special IPv6 addresses
+        */
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s", "::/127",
+         "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+         "::ffff:0:0/96", "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+         "64:ff9b::/96", "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+         "64:ff9b:1::/48", "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+         "2002::/16", "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s", "fc00::/7",
+         "-j", "RETURN", NULL},
+
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+         "fe80::/10", "-j", "RETURN", NULL},
+
+        /*
+            send to nfqueue
+        */
+        {"ip6tables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-i", iface_str,
+         "-p", "tcp", "--tcp-flags", "ACK,FIN,RST", "ACK", "-j", "NFQUEUE",
+         "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
+
+    char *ipt_opt_cmds[][32] = {
+        /*
+            exclude packets from connections with more than 32 packets
+        */
+        {"ip6tables", "-w", "-t", "mangle", "-I", "FAKEHTTP", "-m",
+         "connbytes", "!", "--connbytes", "0:32", "--connbytes-dir", "both",
+         "--connbytes-mode", "packets", "-j", "RETURN", NULL},
+
+        /*
+            exclude big packets
+        */
+        {"ip6tables", "-w", "-t", "mangle", "-I", "FAKEHTTP", "-m", "length",
+         "!", "--length", "0:120", "-j", "RETURN", NULL}};
+
+    ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
+    ipt_opt_cmds_cnt = sizeof(ipt_opt_cmds) / sizeof(*ipt_opt_cmds);
+
+    res = snprintf(xmark_str, sizeof(xmark_str), "%" PRIu32 "/%" PRIu32,
+                   g_ctx.fwmark, g_ctx.fwmask);
+    if (res < 0 || (size_t) res >= sizeof(xmark_str)) {
+        E("ERROR: snprintf(): %s", "failure");
+        return -1;
+    }
+
+    res = snprintf(nfqnum_str, sizeof(nfqnum_str), "%" PRIu32, g_ctx.nfqnum);
+    if (res < 0 || (size_t) res >= sizeof(nfqnum_str)) {
+        E("ERROR: snprintf(): %s", "failure");
+        return -1;
+    }
+
+    res = snprintf(iface_str, sizeof(iface_str), "%s", g_ctx.iface);
+    if (res < 0 || (size_t) res >= sizeof(iface_str)) {
+        E("ERROR: snprintf(): %s", "failure");
+        return -1;
+    }
+
+    for (i = 0; i < ipt_cmds_cnt; i++) {
+        res = fh_execute_command(ipt_cmds[i], 0, NULL);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+    }
+
+    for (i = 0; i < ipt_opt_cmds_cnt; i++) {
+        fh_execute_command(ipt_opt_cmds[i], 1, NULL);
+    }
+
+    return 0;
 }

src/ipv6nft.c

@@ -27,17 +27,127 @@
 #include "logging.h"
 #include "process.h"
 
-/* TODO: NOT IMPLEMENTED */
 int fh_nft6_flush(int auto_create)
 {
-    (void) auto_create;
+    int res;
+    char *nft_flush_cmd[] = {"nft", "flush table ip6 fakehttp", NULL};
+    char *nft_cmd[] = {"nft", "-f", "-", NULL};
+    char *nft_create_conf =
+        "table ip6 fakehttp {\n"
+        "    chain fh_input {\n"
+        "        type filter hook input priority mangle - 5;\n"
+        "        policy accept;\n"
+        "    }\n"
+        "\n"
+        "    chain fh_output {\n"
+        "        type filter hook forward priority mangle - 5;\n"
+        "        policy accept;\n"
+        "    }\n"
+        "\n"
+        "    chain fh_rules {\n"
+        "    }\n"
+        "}\n";
 
-    return -1;
+    res = fh_execute_command(nft_flush_cmd, 1, NULL);
+    if (res < 0) {
+        if (!auto_create) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+
+        res = fh_execute_command(nft_cmd, 0, nft_create_conf);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+    }
+
+    return 0;
 }
 
 
-/* TODO: NOT IMPLEMENTED */
 int fh_nft6_add(void)
 {
-    return -1;
+    size_t i, nft_opt_cmds_cnt;
+    int res;
+    char *nft_cmd[] = {"nft", "-f", "-", NULL};
+    char nft_conf_buff[2048];
+    char *nft_conf_fmt =
+        "table ip6 fakehttp {\n"
+        "    chain fh_input {\n"
+        "        jump fh_rules;\n"
+        "    }\n"
+        "\n"
+        "    chain fh_output {\n"
+        "        jump fh_rules;\n"
+        "    }\n"
+        "\n"
+        "    chain fh_rules {\n"
+
+        /*
+            exclude marked packets
+        */
+        "        meta mark and %" PRIu32 " == %" PRIu32
+        " ct mark set ct mark and %" PRIu32 " xor %" PRIu32 ";\n"
+
+        "        ct mark and %" PRIu32 " == %" PRIu32
+        " meta mark set mark and %" PRIu32 " xor %" PRIu32 ";\n"
+
+        "        meta mark and %" PRIu32 " == %" PRIu32 " return;\n"
+
+        /*
+            exclude special IPv6 addresses
+        */
+        "        ip6 saddr ::/127         return;\n"
+        "        ip6 saddr ::ffff:0:0/96  return;\n"
+        "        ip6 saddr 64:ff9b::/96   return;\n"
+        "        ip6 saddr 64:ff9b:1::/48 return;\n"
+        "        ip6 saddr 2002::/16      return;\n"
+        "        ip6 saddr fc00::/7       return;\n"
+        "        ip6 saddr fe80::/10      return;\n"
+
+        /*
+            send to nfqueue
+        */
+        "        iifname \"%s\" tcp flags & (fin | rst | ack) == ack queue "
+        "num %" PRIu32 " bypass;\n"
+
+        "    }\n"
+        "}\n";
+
+    char *nft_opt_cmds[][32] = {
+        /*
+            exclude packets from connections with more than 32 packets
+        */
+        {"nft", "insert rule ip6 fakehttp fh_rules ct packets > 32 return",
+         NULL},
+
+        /*
+            exclude big packets
+        */
+        {"nft", "insert rule ip6 fakehttp fh_rules meta length > 120 return",
+         NULL}};
+
+    nft_opt_cmds_cnt = sizeof(nft_opt_cmds) / sizeof(*nft_opt_cmds);
+
+    res = snprintf(nft_conf_buff, sizeof(nft_conf_buff), nft_conf_fmt,
+                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
+                   g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
+                   g_ctx.fwmask, g_ctx.fwmark, g_ctx.iface, g_ctx.nfqnum);
+    if (res < 0 || (size_t) res >= sizeof(nft_conf_buff)) {
+        E("ERROR: snprintf(): %s", "failure");
+        return -1;
+    }
+
+    res = fh_execute_command(nft_cmd, 1, nft_conf_buff);
+    if (res < 0) {
+        E(T(fh_execute_command));
+        return -1;
+    }
+
+    for (i = 0; i < nft_opt_cmds_cnt; i++) {
+        fh_execute_command(nft_opt_cmds[i], 1, NULL);
+    }
+
+    return 0;
 }