diff --git a/README.md b/README.md index e977668..2efdce5 100644 --- a/README.md +++ b/README.md @@ -278,6 +278,8 @@ Flags that do not scoped to a specific section, used over all the youtubeUnblock - `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Just an alias for `--udp-filter-quic=all --udp-mode=drop`. +- `--no-dport-filter` By default, youtubeUnblock will filter for TLS and QUIC 443. If you want to disable it, pass this flag. (this does not affect `--udp-dport-filter`) + ## UDP/QUIC UDP is another communication protocol. Well-known technologies that use it are DNS, QUIC, voice chats. UDP does not provide reliable connection and its header is much simpler than TCP thus fragmentation is limited. The support provided primarily by faking. diff --git a/src/args.c b/src/args.c index db72ebd..828e0b0 100644 --- a/src/args.c +++ b/src/args.c @@ -269,6 +269,7 @@ enum { OPT_PACKET_MARK, OPT_SYNFAKE, OPT_SYNFAKE_LEN, + OPT_NO_DPORT_FILTER, OPT_SEG2DELAY, OPT_THREADS, OPT_SILENT, @@ -318,6 +319,7 @@ static struct option long_opt[] = { {"udp-faking-strategy", 1, 0, OPT_UDP_FAKING_STRATEGY}, {"udp-dport-filter", 1, 0, OPT_UDP_DPORT_FILTER}, {"udp-filter-quic", 1, 0, OPT_UDP_FILTER_QUIC}, + {"no-dport-filter", 0, 0, OPT_NO_DPORT_FILTER}, {"threads", 1, 0, OPT_THREADS}, {"silent", 0, 0, OPT_SILENT}, {"trace", 0, 0, OPT_TRACE}, @@ -381,6 +383,7 @@ void print_usage(const char *argv0) { printf("\t--udp-faking-strategy={checksum|ttl|none}\n"); printf("\t--udp-dport-filter=<5,6,200-500>\n"); printf("\t--udp-filter-quic={disabled|all|parse}\n"); + printf("\t--no-dport-filter\n"); printf("\t--threads=\n"); printf("\t--packet-mark=\n"); printf("\t--connbytes-limit=\n"); @@ -712,6 +715,9 @@ int yparse_args(int argc, char *argv[]) { sect_config->fk_winsize = num; break; + case OPT_NO_DPORT_FILTER: + sect_config->dport_filter = 0; + break; case OPT_SEG2DELAY: num = parse_numeric_option(optarg); if (errno != 0 || num < 0) { @@ -1014,6 +1020,10 @@ static size_t print_config_section(const struct section_config_t *section, char } } + if (section->dport_filter == 0) { + print_cnf_buf("--no-dport-filter"); + } + return buffer_size - buf_sz; } // Returns written buffer length diff --git a/src/config.h b/src/config.h index 141d43b..b2c57f3 100644 --- a/src/config.h +++ b/src/config.h @@ -92,6 +92,8 @@ struct section_config_t { unsigned int fk_winsize; int fakeseq_offset; + int dport_filter; + #define SNI_DETECTION_PARSE 0 #define SNI_DETECTION_BRUTE 1 int sni_detection; @@ -244,6 +246,7 @@ enum { .synfake = 0, \ .synfake_len = 0, \ \ + .dport_filter = 1, \ .seg2_delay = 0, \ \ .sni_detection = SNI_DETECTION_PARSE, \ diff --git a/src/mangle.c b/src/mangle.c index a584195..9f5cf86 100644 --- a/src/mangle.c +++ b/src/mangle.c @@ -214,6 +214,11 @@ int process_tcp_packet(const struct section_config_t *section, const uint8_t *ra goto accept; } + // As defined by TLS standard. + if (section->dport_filter && ntohs(tcph->dest) != 443) { + goto accept; + } + if (tcph->syn && section->synfake) { lgtrace_addp("TCP syn alter"); diff --git a/src/quic.c b/src/quic.c index 5119331..5d896c3 100644 --- a/src/quic.c +++ b/src/quic.c @@ -431,6 +431,10 @@ int detect_udp_filtered(const struct section_config_t *section, } if (section->udp_filter_quic != UDP_FILTER_QUIC_DISABLED) { + if (section->dport_filter && ntohs(udph->dest) != 443) + goto match_port; + + const struct quic_lhdr *qch; size_t qch_len; struct quic_cids qci;