Skip to content

Commit 22b1736

Browse files
MikeWang000000MikeWang000000
committed
fix: Optimize firewall rules and allow skipping
1 parent a7af6f6 commit 22b1736

File tree

13 files changed

+144
-197
lines changed

13 files changed

+144
-197
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ Usage: fakehttp [options]
1919
2020
Options:
2121
-d run as a daemon
22+
-f skip firewall rules
2223
-h <hostname> hostname for obfuscation (required)
2324
-i <interface> network interface name (required)
2425
-k kill the running process

include/globvar.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ struct fh_context {
3030
FILE *logfp;
3131

3232
/* -d */ int daemon;
33+
/* -f */ int skipfw;
3334
/* -h */ const char *hostname;
3435
/* -i */ const char *iface;
3536
/* -k */ int killproc;

include/ipv4ipt.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@
2020
#ifndef FH_IPV4IPT_H
2121
#define FH_IPV4IPT_H
2222

23-
int fh_ipt4_flush(int auto_create);
23+
int fh_ipt4_setup(void);
2424

25-
int fh_ipt4_add(void);
25+
void fh_ipt4_cleanup(void);
2626

2727
#endif /* FH_IPV4IPT_H */

include/ipv4nft.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@
2020
#ifndef FH_IPV4NFT_H
2121
#define FH_IPV4NFT_H
2222

23-
int fh_nft4_flush(int auto_create);
23+
int fh_nft4_setup(void);
2424

25-
int fh_nft4_add(void);
25+
void fh_nft4_cleanup(void);
2626

2727
#endif /* FH_IPV4NFT_H */

include/ipv6ipt.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@
2020
#ifndef FH_IPV6IPT_H
2121
#define FH_IPV6IPT_H
2222

23-
int fh_ipt6_flush(int auto_create);
23+
int fh_ipt6_setup(void);
2424

25-
int fh_ipt6_add(void);
25+
void fh_ipt6_cleanup(void);
2626

2727
#endif /* FH_IPV6IPT_H */

include/ipv6nft.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@
2020
#ifndef FH_IPV6NFT_H
2121
#define FH_IPV6NFT_H
2222

23-
int fh_nft6_flush(int auto_create);
23+
int fh_nft6_setup(void);
2424

25-
int fh_nft6_add(void);
25+
void fh_nft6_cleanup(void);
2626

2727
#endif /* FH_IPV6NFT_H */

src/globvar.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ struct fh_context g_ctx = {.exit = 0,
2929
.logfp = NULL,
3030

3131
/* -d */ .daemon = 0,
32+
/* -f */ .skipfw = 0,
3233
/* -h */ .hostname = NULL,
3334
/* -i */ .iface = NULL,
3435
/* -k */ .killproc = 0,

src/ipv4ipt.c

Lines changed: 37 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -27,48 +27,20 @@
2727
#include "logging.h"
2828
#include "process.h"
2929

30-
int fh_ipt4_flush(int auto_create)
30+
int fh_ipt4_setup(void)
3131
{
32+
char xmark_str[64], nfqnum_str[32], iface_str[32];
33+
size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
3234
int res;
33-
size_t i, cnt;
34-
char *ipt_flush_cmd[] = {"iptables", "-w", "-t", "mangle",
35-
"-F", "FAKEHTTP", NULL};
36-
char *ipt_create_cmds[][32] = {
35+
char *ipt_cmds[][32] = {
3736
{"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
3837

3938
{"iptables", "-w", "-t", "mangle", "-I", "INPUT", "-j", "FAKEHTTP",
4039
NULL},
4140

4241
{"iptables", "-w", "-t", "mangle", "-I", "FORWARD", "-j", "FAKEHTTP",
43-
NULL}};
44-
45-
res = fh_execute_command(ipt_flush_cmd, 1, NULL);
46-
if (res < 0) {
47-
if (!auto_create) {
48-
E(T(fh_execute_command));
49-
return -1;
50-
}
51-
52-
cnt = sizeof(ipt_create_cmds) / sizeof(*ipt_create_cmds);
53-
for (i = 0; i < cnt; i++) {
54-
res = fh_execute_command(ipt_create_cmds[i], 0, NULL);
55-
if (res < 0) {
56-
E(T(fh_execute_command));
57-
return -1;
58-
}
59-
}
60-
}
61-
62-
return 0;
63-
}
64-
42+
NULL},
6543

66-
int fh_ipt4_add(void)
67-
{
68-
char xmark_str[64], nfqnum_str[32], iface_str[32];
69-
size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
70-
int res;
71-
char *ipt_cmds[][32] = {
7244
/*
7345
exclude marked packets
7446
*/
@@ -152,6 +124,8 @@ int fh_ipt4_add(void)
152124
return -1;
153125
}
154126

127+
fh_ipt4_cleanup();
128+
155129
for (i = 0; i < ipt_cmds_cnt; i++) {
156130
res = fh_execute_command(ipt_cmds[i], 0, NULL);
157131
if (res < 0) {
@@ -166,3 +140,33 @@ int fh_ipt4_add(void)
166140

167141
return 0;
168142
}
143+
144+
145+
void fh_ipt4_cleanup(void)
146+
{
147+
size_t i, cnt;
148+
char *ipt_cmds[][32] = {
149+
{"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP", NULL},
150+
151+
{"iptables", "-w", "-t", "mangle", "-D", "PREROUTING", "-j",
152+
"FAKEHTTP", NULL},
153+
154+
{"iptables", "-w", "-t", "mangle", "-D", "INPUT", "-j", "FAKEHTTP",
155+
NULL},
156+
157+
{"iptables", "-w", "-t", "mangle", "-D", "FORWARD", "-j", "FAKEHTTP",
158+
NULL},
159+
160+
{"iptables", "-w", "-t", "mangle", "-D", "OUTPUT", "-j", "FAKEHTTP",
161+
NULL},
162+
163+
{"iptables", "-w", "-t", "mangle", "-D", "POSTROUTING", "-j",
164+
"FAKEHTTP", NULL},
165+
166+
{"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP", NULL}};
167+
168+
cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
169+
for (i = 0; i < cnt; i++) {
170+
fh_execute_command(ipt_cmds[i], 1, NULL);
171+
}
172+
}

src/ipv4nft.c

Lines changed: 16 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -27,46 +27,7 @@
2727
#include "logging.h"
2828
#include "process.h"
2929

30-
int fh_nft4_flush(int auto_create)
31-
{
32-
int res;
33-
char *nft_flush_cmd[] = {"nft", "flush table ip fakehttp", NULL};
34-
char *nft_cmd[] = {"nft", "-f", "-", NULL};
35-
char *nft_create_conf =
36-
"table ip fakehttp {\n"
37-
" chain fh_input {\n"
38-
" type filter hook input priority mangle - 5;\n"
39-
" policy accept;\n"
40-
" }\n"
41-
"\n"
42-
" chain fh_output {\n"
43-
" type filter hook forward priority mangle - 5;\n"
44-
" policy accept;\n"
45-
" }\n"
46-
"\n"
47-
" chain fh_rules {\n"
48-
" }\n"
49-
"}\n";
50-
51-
res = fh_execute_command(nft_flush_cmd, 1, NULL);
52-
if (res < 0) {
53-
if (!auto_create) {
54-
E(T(fh_execute_command));
55-
return -1;
56-
}
57-
58-
res = fh_execute_command(nft_cmd, 0, nft_create_conf);
59-
if (res < 0) {
60-
E(T(fh_execute_command));
61-
return -1;
62-
}
63-
}
64-
65-
return 0;
66-
}
67-
68-
69-
int fh_nft4_add(void)
30+
int fh_nft4_setup(void)
7031
{
7132
size_t i, nft_opt_cmds_cnt;
7233
int res;
@@ -75,10 +36,14 @@ int fh_nft4_add(void)
7536
char *nft_conf_fmt =
7637
"table ip fakehttp {\n"
7738
" chain fh_input {\n"
39+
" type filter hook input priority mangle - 5;\n"
40+
" policy accept;\n"
7841
" jump fh_rules;\n"
7942
" }\n"
8043
"\n"
81-
" chain fh_output {\n"
44+
" chain fh_forward {\n"
45+
" type filter hook forward priority mangle - 5;\n"
46+
" policy accept;\n"
8247
" jump fh_rules;\n"
8348
" }\n"
8449
"\n"
@@ -140,6 +105,8 @@ int fh_nft4_add(void)
140105
return -1;
141106
}
142107

108+
fh_nft4_cleanup();
109+
143110
res = fh_execute_command(nft_cmd, 1, nft_conf_buff);
144111
if (res < 0) {
145112
E(T(fh_execute_command));
@@ -152,3 +119,11 @@ int fh_nft4_add(void)
152119

153120
return 0;
154121
}
122+
123+
124+
void fh_nft4_cleanup(void)
125+
{
126+
char *nft_delete_cmd[] = {"nft", "delete table ip fakehttp", NULL};
127+
128+
fh_execute_command(nft_delete_cmd, 1, NULL);
129+
}

src/ipv6ipt.c

Lines changed: 37 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -27,48 +27,20 @@
2727
#include "logging.h"
2828
#include "process.h"
2929

30-
int fh_ipt6_flush(int auto_create)
30+
int fh_ipt6_setup(void)
3131
{
32+
char xmark_str[64], nfqnum_str[32], iface_str[32];
33+
size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
3234
int res;
33-
size_t i, cnt;
34-
char *ipt_flush_cmd[] = {"ip6tables", "-w", "-t", "mangle",
35-
"-F", "FAKEHTTP", NULL};
36-
char *ipt_create_cmds[][32] = {
35+
char *ipt_cmds[][32] = {
3736
{"ip6tables", "-w", "-t", "mangle", "-N", "FAKEHTTP", NULL},
3837

3938
{"ip6tables", "-w", "-t", "mangle", "-I", "INPUT", "-j", "FAKEHTTP",
4039
NULL},
4140

4241
{"ip6tables", "-w", "-t", "mangle", "-I", "FORWARD", "-j", "FAKEHTTP",
43-
NULL}};
44-
45-
res = fh_execute_command(ipt_flush_cmd, 1, NULL);
46-
if (res < 0) {
47-
if (!auto_create) {
48-
E(T(fh_execute_command));
49-
return -1;
50-
}
51-
52-
cnt = sizeof(ipt_create_cmds) / sizeof(*ipt_create_cmds);
53-
for (i = 0; i < cnt; i++) {
54-
res = fh_execute_command(ipt_create_cmds[i], 0, NULL);
55-
if (res < 0) {
56-
E(T(fh_execute_command));
57-
return -1;
58-
}
59-
}
60-
}
61-
62-
return 0;
63-
}
64-
42+
NULL},
6543

66-
int fh_ipt6_add(void)
67-
{
68-
char xmark_str[64], nfqnum_str[32], iface_str[32];
69-
size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
70-
int res;
71-
char *ipt_cmds[][32] = {
7244
/*
7345
exclude marked packets
7446
*/
@@ -149,6 +121,8 @@ int fh_ipt6_add(void)
149121
return -1;
150122
}
151123

124+
fh_ipt6_cleanup();
125+
152126
for (i = 0; i < ipt_cmds_cnt; i++) {
153127
res = fh_execute_command(ipt_cmds[i], 0, NULL);
154128
if (res < 0) {
@@ -163,3 +137,33 @@ int fh_ipt6_add(void)
163137

164138
return 0;
165139
}
140+
141+
142+
void fh_ipt6_cleanup(void)
143+
{
144+
size_t i, cnt;
145+
char *ipt_cmds[][32] = {
146+
{"ip6tables", "-w", "-t", "mangle", "-F", "FAKEHTTP", NULL},
147+
148+
{"ip6tables", "-w", "-t", "mangle", "-D", "PREROUTING", "-j",
149+
"FAKEHTTP", NULL},
150+
151+
{"ip6tables", "-w", "-t", "mangle", "-D", "INPUT", "-j", "FAKEHTTP",
152+
NULL},
153+
154+
{"ip6tables", "-w", "-t", "mangle", "-D", "FORWARD", "-j", "FAKEHTTP",
155+
NULL},
156+
157+
{"ip6tables", "-w", "-t", "mangle", "-D", "OUTPUT", "-j", "FAKEHTTP",
158+
NULL},
159+
160+
{"ip6tables", "-w", "-t", "mangle", "-D", "POSTROUTING", "-j",
161+
"FAKEHTTP", NULL},
162+
163+
{"ip6tables", "-w", "-t", "mangle", "-X", "FAKEHTTP", NULL}};
164+
165+
cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
166+
for (i = 0; i < cnt; i++) {
167+
fh_execute_command(ipt_cmds[i], 1, NULL);
168+
}
169+
}

0 commit comments

Comments
 (0)