MikeWang000000
diff --git a/‎include/globvar.h‎
Lines changed: 1 addition & 1 deletion b/‎include/globvar.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/globvar.c‎
Lines changed: 1 addition & 1 deletion b/‎src/globvar.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/ipv4ipt.c‎
Lines changed: 61 additions & 25 deletions b/‎src/ipv4ipt.c‎
Lines changed: 61 additions & 25 deletions
diff --git a/‎src/ipv4nft.c‎
Lines changed: 38 additions & 4 deletions b/‎src/ipv4nft.c‎
Lines changed: 38 additions & 4 deletions
@@ -35,7 +35,7 @@ struct fh_context {
     /* -f */ int skipfw;
     /* -g */ int nohopest;
     /* -h */ const char *hostname;
-    /* -i */ const char *iface;
+    /* -i */ const char *iface[32];
     /* -k */ int killproc;
     /* -m */ uint32_t fwmark;
     /* -n */ uint32_t nfqnum;
 
@@ -35,7 +35,7 @@ struct fh_context g_ctx = {.exit = 0,
                            /* -f */ .skipfw = 0,
                            /* -g */ .nohopest = 0,
                            /* -h */ .hostname = NULL,
-                           /* -i */ .iface = NULL,
+                           /* -i */ .iface = {NULL},
                            /* -k */ .killproc = 0,
                            /* -m */ .fwmark = 0x8000,
                            /* -n */ .nfqnum = 512,
 
@@ -22,14 +22,43 @@
 
 #include <inttypes.h>
 #include <stdlib.h>
+#include <net/if.h>
 
 #include "globvar.h"
 #include "logging.h"
 #include "process.h"
 
+static int ipt4_iface_setup(void)
+{
+    char iface_str[IFNAMSIZ];
+    size_t i, cnt;
+    int res;
+    char *ipt_iface_cmd[] = {"iptables", "-w",         "-t", "mangle",
+                             "-A",       "FAKEHTTP",   "-i", iface_str,
+                             "-j",       "FAKEHTTP_R", NULL};
+
+    cnt = sizeof(g_ctx.iface) / sizeof(*g_ctx.iface);
+
+    for (i = 0; i < cnt && g_ctx.iface[i]; i++) {
+        res = snprintf(iface_str, sizeof(iface_str), "%s", g_ctx.iface[i]);
+        if (res < 0 || (size_t) res >= sizeof(iface_str)) {
+            E("ERROR: snprintf(): %s", "failure");
+            return -1;
+        }
+
+        res = fh_execute_command(ipt_iface_cmd, 0, NULL);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+    }
+    return 0;
+}
+
+
 int fh_ipt4_setup(void)
 {
-    char xmark_str[64], nfqnum_str[32], iface_str[32];
+    char xmark_str[64], nfqnum_str[32];
     size_t i, ipt_cmds_cnt, ipt_opt_cmds_cnt;
     int res;
     char *ipt_cmds[][32] = {
@@ -38,65 +67,68 @@ int fh_ipt4_setup(void)
         {"iptables", "-w", "-t", "mangle", "-I", "PREROUTING", "-j",
          "FAKEHTTP", NULL},
 
+        {"iptables", "-w", "-t", "mangle", "-N", "FAKEHTTP_R", NULL},
+
         /*
             exclude marked packets
         */
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "mark",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
          "--mark", xmark_str, "-j", "CONNMARK", "--set-xmark", xmark_str,
          NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "connmark",
-         "--mark", xmark_str, "-j", "MARK", "--set-xmark", xmark_str, NULL},
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m",
+         "connmark", "--mark", xmark_str, "-j", "MARK", "--set-xmark",
+         xmark_str, NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-m", "mark",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-m", "mark",
          "--mark", xmark_str, "-j", "RETURN", NULL},
 
         /*
             exclude local IPs
         */
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s", "0.0.0.0/8",
-         "-j", "RETURN", NULL},
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
+         "0.0.0.0/8", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "10.0.0.0/8", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "100.64.0.0/10", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "127.0.0.0/8", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "169.254.0.0/16", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "172.16.0.0/12", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "192.168.0.0/16", "-j", "RETURN", NULL},
 
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-s",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-s",
          "224.0.0.0/3", "-j", "RETURN", NULL},
 
         /*
             send to nfqueue
         */
-        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP", "-i", iface_str,
-         "-p", "tcp", "--tcp-flags", "ACK,FIN,RST", "ACK", "-j", "NFQUEUE",
+        {"iptables", "-w", "-t", "mangle", "-A", "FAKEHTTP_R", "-p", "tcp",
+         "--tcp-flags", "ACK,FIN,RST", "ACK", "-j", "NFQUEUE",
          "--queue-bypass", "--queue-num", nfqnum_str, NULL}};
 
     char *ipt_opt_cmds[][32] = {
         /*
             exclude packets from connections with more than 32 packets
         */
-        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP", "-m", "connbytes",
-         "!", "--connbytes", "0:32", "--connbytes-dir", "both",
+        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m",
+         "connbytes", "!", "--connbytes", "0:32", "--connbytes-dir", "both",
          "--connbytes-mode", "packets", "-j", "RETURN", NULL},
 
         /*
             exclude big packets
         */
-        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP", "-m", "length",
+        {"iptables", "-w", "-t", "mangle", "-I", "FAKEHTTP_R", "-m", "length",
          "!", "--length", "0:120", "-j", "RETURN", NULL}};
 
     ipt_cmds_cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
@@ -115,12 +147,6 @@ int fh_ipt4_setup(void)
         return -1;
     }
 
-    res = snprintf(iface_str, sizeof(iface_str), "%s", g_ctx.iface);
-    if (res < 0 || (size_t) res >= sizeof(iface_str)) {
-        E("ERROR: snprintf(): %s", "failure");
-        return -1;
-    }
-
     fh_ipt4_cleanup();
 
     for (i = 0; i < ipt_cmds_cnt; i++) {
@@ -135,6 +161,12 @@ int fh_ipt4_setup(void)
         fh_execute_command(ipt_opt_cmds[i], 1, NULL);
     }
 
+    res = ipt4_iface_setup();
+    if (res < 0) {
+        E(T(ipt4_iface_setup));
+        return -1;
+    }
+
     return 0;
 }
 
@@ -143,6 +175,8 @@ void fh_ipt4_cleanup(void)
 {
     size_t i, cnt;
     char *ipt_cmds[][32] = {
+        {"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP_R", NULL},
+
         {"iptables", "-w", "-t", "mangle", "-F", "FAKEHTTP", NULL},
 
         {"iptables", "-w", "-t", "mangle", "-D", "PREROUTING", "-j",
@@ -160,6 +194,8 @@ void fh_ipt4_cleanup(void)
         {"iptables", "-w", "-t", "mangle", "-D", "POSTROUTING", "-j",
          "FAKEHTTP", NULL},
 
+        {"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP_R", NULL},
+
         {"iptables", "-w", "-t", "mangle", "-X", "FAKEHTTP", NULL}};
 
     cnt = sizeof(ipt_cmds) / sizeof(*ipt_cmds);
 
@@ -27,6 +27,35 @@
 #include "logging.h"
 #include "process.h"
 
+static int nft4_iface_setup(void)
+{
+    char nftstr[120];
+    size_t i, cnt;
+    int res;
+    char *nft_iface_cmd[] = {"nft", nftstr, NULL};
+
+    cnt = sizeof(g_ctx.iface) / sizeof(*g_ctx.iface);
+
+    for (i = 0; i < cnt && g_ctx.iface[i]; i++) {
+        res = snprintf(
+            nftstr, sizeof(nftstr),
+            "add rule ip fakehttp fh_prerouting iifname \"%s\" jump fh_rules",
+            g_ctx.iface[i]);
+        if (res < 0 || (size_t) res >= sizeof(nftstr)) {
+            E("ERROR: snprintf(): %s", "failure");
+            return -1;
+        }
+
+        res = fh_execute_command(nft_iface_cmd, 0, NULL);
+        if (res < 0) {
+            E(T(fh_execute_command));
+            return -1;
+        }
+    }
+    return 0;
+}
+
+
 int fh_nft4_setup(void)
 {
     size_t i, nft_opt_cmds_cnt;
@@ -38,7 +67,6 @@ int fh_nft4_setup(void)
         "    chain fh_prerouting {\n"
         "        type filter hook prerouting priority mangle - 5;\n"
         "        policy accept;\n"
-        "        jump fh_rules;\n"
         "    }\n"
         "\n"
         "    chain fh_rules {\n"
@@ -69,8 +97,8 @@ int fh_nft4_setup(void)
         /*
             send to nfqueue
         */
-        "        iifname \"%s\" tcp flags & (fin | rst | ack) == ack queue "
-        "num %" PRIu32 " bypass;\n"
+        "        tcp flags & (fin | rst | ack) == ack queue num %" PRIu32
+        " bypass;\n"
 
         "    }\n"
         "}\n";
@@ -93,7 +121,7 @@ int fh_nft4_setup(void)
     res = snprintf(nft_conf_buff, sizeof(nft_conf_buff), nft_conf_fmt,
                    g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
                    g_ctx.fwmask, g_ctx.fwmark, ~g_ctx.fwmask, g_ctx.fwmark,
-                   g_ctx.fwmask, g_ctx.fwmark, g_ctx.iface, g_ctx.nfqnum);
+                   g_ctx.fwmask, g_ctx.fwmark, g_ctx.nfqnum);
     if (res < 0 || (size_t) res >= sizeof(nft_conf_buff)) {
         E("ERROR: snprintf(): %s", "failure");
         return -1;
@@ -111,6 +139,12 @@ int fh_nft4_setup(void)
         fh_execute_command(nft_opt_cmds[i], 1, NULL);
     }
 
+    res = nft4_iface_setup();
+    if (res < 0) {
+        E(T(nft4_iface_setup));
+        return -1;
+    }
+
     return 0;
 }