Mirror/youtubeUnblock
1
0
Fork 0
mirror of https://github.com/Waujito/youtubeUnblock.git synced 2025-12-06 03:26:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

Allow to disable conntrack in kernel module

Browse Source
This commit is contained in:
Vadim Vetrov
2025-01-08 03:56:10 +03:00
parent 84d47b8a3d
commit 59581e91b2
3 changed files with 41 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -332,6 +332,11 @@ Where you have to replace 192.168.. with ip of your television.
* send fake sni EPERM: Fake SNI is out-of-state thing and will likely corrupt the connection (the behavior is expected). conntrack considers it as an invalid packet. By default OpenWRT set up to drop outgoing packets like this one. You may delete nftables/iptables rule that drops packets with invalid conntrack state, but I don't recommend to do this. The step 3 is better solution. * send fake sni EPERM: Fake SNI is out-of-state thing and will likely corrupt the connection (the behavior is expected). conntrack considers it as an invalid packet. By default OpenWRT set up to drop outgoing packets like this one. You may delete nftables/iptables rule that drops packets with invalid conntrack state, but I don't recommend to do this. The step 3 is better solution.
* Step 3, ultimate solution. Use mark (don't confuse with connmark). The youtubeUnblock uses mark internally to avoid infinity packet loops (when the packet is sent by youtubeUnblock but on next step handled by itself). Currently it uses mark (1 << 15) = 32768. You should put iptables/nftables that ultimately accepts such marks at the very start of the filter OUTPUT chain: `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` or `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept`. * Step 3, ultimate solution. Use mark (don't confuse with connmark). The youtubeUnblock uses mark internally to avoid infinity packet loops (when the packet is sent by youtubeUnblock but on next step handled by itself). Currently it uses mark (1 << 15) = 32768. You should put iptables/nftables that ultimately accepts such marks at the very start of the filter OUTPUT chain: `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` or `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept`.
### Conntrack
youtubeUnblock *optionally* depends on conntrack.
For kernel module, if conntrack breaks dependencies, compile it with `make kmake EXTRA_CFLAGS="-DNO_CONNTRACK"` to disable it completly.
## Compilation ## Compilation
Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well. Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well.

4
kmake.mk
View File

@@ -9,11 +9,13 @@ LDFLAGS :=
KERNEL_BUILDER_MAKEDIR:=/lib/modules/$(shell uname -r)/build KERNEL_BUILDER_MAKEDIR:=/lib/modules/$(shell uname -r)/build
override EXTRA_CFLAGS += -DPKG_VERSION=\"$(PKG_FULLVERSION)\"
.PHONY: kmake kload kunload kreload kclean kmclean xclean .PHONY: kmake kload kunload kreload kclean kmclean xclean
kmake: kmod kmake: kmod
kmod: kmod:
$(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) EXTRA_CFLAGS='-DPKG_VERSION=\"$(PKG_FULLVERSION)\"' modules $(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) EXTRA_CFLAGS='$(EXTRA_CFLAGS)' modules
kload: kload:
insmod kyoutubeUnblock.ko insmod kyoutubeUnblock.ko

39
src/kytunblock.c
View File

@@ -35,8 +35,16 @@
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h> #include <linux/netfilter_ipv6.h>
#ifdef IS_ENABLED
#if !(IS_ENABLED(CONFIG_NF_CONNTRACK))
#define NO_CONNTRACK
#endif /* IS CONNTRACK ENABLED */
#endif /* ifdef IS_ENABLED */
#ifndef NO_CONNTRACK
#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_acct.h> #include <net/netfilter/nf_conntrack_acct.h>
#endif
#include "mangle.h" #include "mangle.h"
#include "config.h" #include "config.h"
@@ -253,6 +261,8 @@ struct instance_config_t instance_config = {
static int conntrack_parse(const struct sk_buff *skb, static int conntrack_parse(const struct sk_buff *skb,
struct ytb_conntrack *yct) { struct ytb_conntrack *yct) {
#ifndef NO_CONNTRACK
const struct nf_conn *ct; const struct nf_conn *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
const struct nf_conn_counter *counters; const struct nf_conn_counter *counters;
@@ -273,18 +283,34 @@ static int conntrack_parse(const struct sk_buff *skb,
return -1; return -1;
#endif #endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
yct->orig_packets = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].packets); yct->orig_packets = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].packets);
yct_set_mask_attr(YCTATTR_ORIG_PACKETS, yct);
yct->orig_bytes = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].bytes); yct->orig_bytes = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].bytes);
yct_set_mask_attr(YCTATTR_ORIG_BYTES, yct);
yct->repl_packets = atomic64_read(&counters[IP_CT_DIR_REPLY].packets); yct->repl_packets = atomic64_read(&counters[IP_CT_DIR_REPLY].packets);
yct_set_mask_attr(YCTATTR_REPL_PACKETS, yct);
yct->repl_bytes = atomic64_read(&counters[IP_CT_DIR_REPLY].bytes); yct->repl_bytes = atomic64_read(&counters[IP_CT_DIR_REPLY].bytes);
#else
yct->orig_packets = counters[IP_CT_DIR_ORIGINAL].packets;
yct->orig_bytes = counters[IP_CT_DIR_ORIGINAL].bytes;
yct->repl_packets = counters[IP_CT_DIR_REPLY].packets;
yct->repl_bytes = counters[IP_CT_DIR_REPLY].bytes;
#endif
yct_set_mask_attr(YCTATTR_ORIG_PACKETS, yct);
yct_set_mask_attr(YCTATTR_ORIG_BYTES, yct);
yct_set_mask_attr(YCTATTR_REPL_PACKETS, yct);
yct_set_mask_attr(YCTATTR_REPL_BYTES, yct); yct_set_mask_attr(YCTATTR_REPL_BYTES, yct);
#if defined(CONFIG_NF_CONNTRACK_MARK)
yct->connmark = READ_ONCE(ct->mark); yct->connmark = READ_ONCE(ct->mark);
yct_set_mask_attr(YCTATTR_CONNMARK, yct); yct_set_mask_attr(YCTATTR_CONNMARK, yct);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
yct->id = nf_ct_get_id(ct); yct->id = nf_ct_get_id(ct);
yct_set_mask_attr(YCTATTR_CONNID, yct); yct_set_mask_attr(YCTATTR_CONNID, yct);
#endif
#endif /* NO_CONNTRACK */
return 0; return 0;
} }
@@ -373,13 +399,10 @@ static NF_CALLBACK(ykb_nf_hook, skb) {
lgtrace("[TRACE] conntrack_parse error code\n"); lgtrace("[TRACE] conntrack_parse error code\n");
} }
lgtrace("[CONNTRACK TRACE] orig_packets=%llu repl_packets=%llu orig_bytes=%llu repl_bytes=%llu connmark=%d id=%ud\n", pd.yct.orig_packets, pd.yct.repl_packets, pd.yct.orig_bytes, pd.yct.repl_bytes, pd.yct.connmark, pd.yct.id);
if (config.connbytes_limit != 0 && yct_is_mask_attr(YCTATTR_ORIG_PACKETS, &pd.yct) && pd.yct.orig_packets > config.connbytes_limit) if (config.connbytes_limit != 0 && yct_is_mask_attr(YCTATTR_ORIG_PACKETS, &pd.yct) && pd.yct.orig_packets > config.connbytes_limit)
goto accept; goto accept;
ret = skb_linearize(skb); ret = skb_linearize(skb);
if (ret < 0) { if (ret < 0) {
lgerror(ret, "Cannot linearize"); lgerror(ret, "Cannot linearize");
@@ -421,6 +444,10 @@ static struct nf_hook_ops ykb6_nf_reg __read_mostly = {
}; };
static int __init ykb_init(void) { static int __init ykb_init(void) {
#ifdef NO_CONNTRACK
lgwarning("Conntrack disabled.");
#endif
int ret = 0; int ret = 0;
ret = init_config(&config); ret = init_config(&config);
if (ret < 0) goto err; if (ret < 0) goto err;