mirror of
https://github.com/Waujito/youtubeUnblock.git
synced 2025-12-06 03:26:45 +03:00
Allow to disable conntrack in kernel module
This commit is contained in:
Vadim Vetrov
@@ -332,6 +332,11 @@ Where you have to replace 192.168.. with ip of your television.
|
||||
* send fake sni EPERM: Fake SNI is out-of-state thing and will likely corrupt the connection (the behavior is expected). conntrack considers it as an invalid packet. By default OpenWRT set up to drop outgoing packets like this one. You may delete nftables/iptables rule that drops packets with invalid conntrack state, but I don't recommend to do this. The step 3 is better solution.
|
||||
* Step 3, ultimate solution. Use mark (don't confuse with connmark). The youtubeUnblock uses mark internally to avoid infinity packet loops (when the packet is sent by youtubeUnblock but on next step handled by itself). Currently it uses mark (1 << 15) = 32768. You should put iptables/nftables that ultimately accepts such marks at the very start of the filter OUTPUT chain: `iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT` or `nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept`.
|
||||
|
||||
### Conntrack
|
||||
|
||||
youtubeUnblock *optionally* depends on conntrack.
|
||||
For kernel module, if conntrack breaks dependencies, compile it with `make kmake EXTRA_CFLAGS="-DNO_CONNTRACK"` to disable it completly.
|
||||
|
||||
## Compilation
|
||||
|
||||
Before compilation make sure `gcc`, `make`, `autoconf`, `automake`, `pkg-config` and `libtool` is installed. For Fedora `glibc-static` should be installed as well.
|
||||
|
||||
4
kmake.mk
4
kmake.mk
@@ -9,11 +9,13 @@ LDFLAGS :=
|
||||
|
||||
KERNEL_BUILDER_MAKEDIR:=/lib/modules/$(shell uname -r)/build
|
||||
|
||||
override EXTRA_CFLAGS += -DPKG_VERSION=\"$(PKG_FULLVERSION)\"
|
||||
|
||||
.PHONY: kmake kload kunload kreload kclean kmclean xclean
|
||||
kmake: kmod
|
||||
|
||||
kmod:
|
||||
$(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) EXTRA_CFLAGS='-DPKG_VERSION=\"$(PKG_FULLVERSION)\"' modules
|
||||
$(MAKE) -C $(KERNEL_BUILDER_MAKEDIR) M=$(PWD) EXTRA_CFLAGS='$(EXTRA_CFLAGS)' modules
|
||||
|
||||
kload:
|
||||
insmod kyoutubeUnblock.ko
|
||||
|
||||
@@ -35,8 +35,16 @@
|
||||
#include <linux/netfilter_ipv4.h>
|
||||
#include <linux/netfilter_ipv6.h>
|
||||
|
||||
#ifdef IS_ENABLED
|
||||
#if !(IS_ENABLED(CONFIG_NF_CONNTRACK))
|
||||
#define NO_CONNTRACK
|
||||
#endif /* IS CONNTRACK ENABLED */
|
||||
#endif /* ifdef IS_ENABLED */
|
||||
|
||||
#ifndef NO_CONNTRACK
|
||||
#include <net/netfilter/nf_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack_acct.h>
|
||||
#endif
|
||||
|
||||
#include "mangle.h"
|
||||
#include "config.h"
|
||||
@@ -253,6 +261,8 @@ struct instance_config_t instance_config = {
|
||||
|
||||
static int conntrack_parse(const struct sk_buff *skb,
|
||||
struct ytb_conntrack *yct) {
|
||||
#ifndef NO_CONNTRACK
|
||||
|
||||
const struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
const struct nf_conn_counter *counters;
|
||||
@@ -273,18 +283,34 @@ static int conntrack_parse(const struct sk_buff *skb,
|
||||
return -1;
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
|
||||
yct->orig_packets = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].packets);
|
||||
yct_set_mask_attr(YCTATTR_ORIG_PACKETS, yct);
|
||||
yct->orig_bytes = atomic64_read(&counters[IP_CT_DIR_ORIGINAL].bytes);
|
||||
yct_set_mask_attr(YCTATTR_ORIG_BYTES, yct);
|
||||
yct->repl_packets = atomic64_read(&counters[IP_CT_DIR_REPLY].packets);
|
||||
yct_set_mask_attr(YCTATTR_REPL_PACKETS, yct);
|
||||
yct->repl_bytes = atomic64_read(&counters[IP_CT_DIR_REPLY].bytes);
|
||||
#else
|
||||
yct->orig_packets = counters[IP_CT_DIR_ORIGINAL].packets;
|
||||
yct->orig_bytes = counters[IP_CT_DIR_ORIGINAL].bytes;
|
||||
yct->repl_packets = counters[IP_CT_DIR_REPLY].packets;
|
||||
yct->repl_bytes = counters[IP_CT_DIR_REPLY].bytes;
|
||||
#endif
|
||||
yct_set_mask_attr(YCTATTR_ORIG_PACKETS, yct);
|
||||
yct_set_mask_attr(YCTATTR_ORIG_BYTES, yct);
|
||||
yct_set_mask_attr(YCTATTR_REPL_PACKETS, yct);
|
||||
yct_set_mask_attr(YCTATTR_REPL_BYTES, yct);
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
||||
yct->connmark = READ_ONCE(ct->mark);
|
||||
yct_set_mask_attr(YCTATTR_CONNMARK, yct);
|
||||
#endif
|
||||
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
|
||||
yct->id = nf_ct_get_id(ct);
|
||||
yct_set_mask_attr(YCTATTR_CONNID, yct);
|
||||
#endif
|
||||
|
||||
#endif /* NO_CONNTRACK */
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -373,13 +399,10 @@ static NF_CALLBACK(ykb_nf_hook, skb) {
|
||||
lgtrace("[TRACE] conntrack_parse error code\n");
|
||||
}
|
||||
|
||||
lgtrace("[CONNTRACK TRACE] orig_packets=%llu repl_packets=%llu orig_bytes=%llu repl_bytes=%llu connmark=%d id=%ud\n", pd.yct.orig_packets, pd.yct.repl_packets, pd.yct.orig_bytes, pd.yct.repl_bytes, pd.yct.connmark, pd.yct.id);
|
||||
|
||||
if (config.connbytes_limit != 0 && yct_is_mask_attr(YCTATTR_ORIG_PACKETS, &pd.yct) && pd.yct.orig_packets > config.connbytes_limit)
|
||||
goto accept;
|
||||
|
||||
|
||||
|
||||
ret = skb_linearize(skb);
|
||||
if (ret < 0) {
|
||||
lgerror(ret, "Cannot linearize");
|
||||
@@ -421,6 +444,10 @@ static struct nf_hook_ops ykb6_nf_reg __read_mostly = {
|
||||
};
|
||||
|
||||
static int __init ykb_init(void) {
|
||||
#ifdef NO_CONNTRACK
|
||||
lgwarning("Conntrack disabled.");
|
||||
#endif
|
||||
|
||||
int ret = 0;
|
||||
ret = init_config(&config);
|
||||
if (ret < 0) goto err;
|
||||
|
||||
Reference in New Issue
Block a user