Fix internet :)

Related to #96

.github/workflows/build-ci.yml

@@ -18,6 +18,11 @@ jobs:
       version: ${{ steps.gh.outputs.version }}
       sha: ${{ steps.gh.outputs.sha }}
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'openwrt'
+
       - name: GH
         id: gh
         env:
@@ -25,7 +30,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         shell: bash
         run: |
-          echo "version=$(gh api repos/$REPO/releases/latest --jq '.tag_name' | sed 's/v//')" >> $GITHUB_OUTPUT
+          echo "version=$(cat youtubeUnblock/Makefile | grep PKG_VERSION | sed 's/PKG_VERSION:=//')" >> $GITHUB_OUTPUT
           if [[ "${{ github.event_name }}" != "pull_request" ]]; then
             echo "sha=$(echo ${GITHUB_SHA::7})" >> $GITHUB_OUTPUT
           else
@@ -220,7 +225,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: 'openwrt'
+          ref: 'entware'
 
       - name: Prepare build
         env:

README.md

@@ -6,6 +6,7 @@
     - [Firewall configuration](#firewall-configuration)
       - [nftables rules](#nftables-rules)
       - [Iptables rules](#iptables-rules)
+    - [IPv6](#ipv6)
   - [Check it](#check-it)
   - [Flags](#flags)
   - [Troubleshooting](#troubleshooting)
@@ -23,13 +24,13 @@
 
 Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is for Linux only. It is also fully compatible with routers running [OpenWRT](https://github.com/openwrt). 
 
-The program was primarily developed to bypass YouTube Outage in Russia, but it works good with other websites blocked by SNI. Adjust the list of websites via `--sni-domains` flag for the program.
+The program was primarily developed to bypass YouTube Outage in Russia.
 
 The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries of main branch are published in the [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous). Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`.
 
 On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o <destdir>`.
 
-For Windows use [GoodbyeDPI from ValdikSS](https://github.com/ValdikSS/GoodbyeDPI) (you can find how to use it for YouTube [here](https://github.com/ValdikSS/GoodbyeDPI/issues/378)) The same behavior is also implemented in [zapret package for linux](https://github.com/bol-van/zapret).
+For Windows use [GoodbyeDPI by ValdikSS](https://github.com/ValdikSS/GoodbyeDPI) (you can find how to use it for YouTube [here](https://github.com/ValdikSS/GoodbyeDPI/issues/378)) The same behavior is also implemented in [zapret package for linux](https://github.com/bol-van/zapret).
 
 ## Configuration
 
@@ -73,13 +74,9 @@ You can also run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart
 
 ### Entware
 
-For Entware on Keenetic here is an [installation guide (russian)](https://help.keenetic.com/hc/ru/articles/360021214160-%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D1%8B-%D0%BF%D0%B0%D0%BA%D0%B5%D1%82%D0%BE%D0%B2-%D1%80%D0%B5%D0%BF%D0%BE%D0%B7%D0%B8%D1%82%D0%BE%D1%80%D0%B8%D1%8F-Entware-%D0%BD%D0%B0-USB-%D0%BD%D0%B0%D0%BA%D0%BE%D0%BF%D0%B8%D1%82%D0%B5%D0%BB%D1%8C). Note that if your Entware router is missing netfilter queue kernel modules, here is no way to deal with it since Entware does not offer kernel modules. You should probably try to install OpenWRT if the problem persist. You can check required modules with command `find /lib/modules/$(uname -r) -type f -name 'nfnetlink_queue.ko*'`. If that command return not null string, everything alright. All you need is to load the modules.
+For Entware on Keenetic here is an [installation guide (russian)](https://help.keenetic.com/hc/ru/articles/360021214160-%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D1%8B-%D0%BF%D0%B0%D0%BA%D0%B5%D1%82%D0%BE%D0%B2-%D1%80%D0%B5%D0%BF%D0%BE%D0%B7%D0%B8%D1%82%D0%BE%D1%80%D0%B8%D1%8F-Entware-%D0%BD%D0%B0-USB-%D0%BD%D0%B0%D0%BA%D0%BE%D0%BF%D0%B8%D1%82%D0%B5%D0%BB%D1%8C). Note that if your Entware router is missing netfilter queue kernel modules, here is no way to deal with it since Entware does not offer kernel modules. 
 
-To check whether the modules are loaded, do `lsmod | grep nfnetlink_queue`. If the program return nothing, you should load them manually. 
-```sh
-insmod /lib/modules/3.3.8/kernel/net/netfilter/nfnetlink_queue.ko
-insmod /lib/modules/3.3.8/kernel/net/netfilter/xt_NFQUEUE.ko
-```
+Install the binary with `opkg install youtubeUnblock-*.ipk`. After installation, the binary in /opt/bin and the init script in /opt/etc/init.d/S51youtubeUnblock will be available. To run the youtubeUnblock, simply run `/opt/etc/init.d/S51youtubeUnblock start`
 
 ### PC configuration
 On local host make sure to change **FORWARD** to **OUTPUT** chain in the following Firewall rulesets.
@@ -104,6 +101,16 @@ iptables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir or
 iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
 ```
 
+#### IPv6
+
+For IPv6 on iptables you need to duplicate rules above for ip6tables:
+```sh
+ip6tables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
+ip6tables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
+```
+
+
+
 Note that above rules use *conntrack* to route only first 20 packets from the connection to **youtubeUnblock**. 
 If you got some troubles with it, for example **youtubeUnblock** doesn't detect YouTube, try to delete *connbytes* from the rules. But it is an unlikely behavior and you should probably check your ruleset.
 
@@ -126,9 +133,11 @@ curl -o/dev/null -k --connect-to ::google.com -k -L -H Host:\ mirror.gcr.io http
 
 ## Flags
 
+Put flags to the **BINARY**, not an init script. If you are on OpenWRT you should put the flags inside the script: open `/etc/init.d/youtubeUnblock` with any text editor, like vi or nano and put your flags after `procd_set_param command /usr/bin/youtubeUnblock` line.
+
 Available flags:
 
-- `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults is `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.
+- `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults to `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.
 
 - `--queue-num=<number of netfilter queue>` The number of netfilter queue **youtubeUnblock** will be linked to. Defaults to **537**.
 
@@ -144,6 +153,8 @@ Available flags:
 
 - `--faking-ttl=<ttl>` Tunes the time to live (TTL) of fake SNI messages. TTL is specified like that the packet will go through the DPI system and captured by it, but will not reach the destination server. Defaults to **8**.
 
+- `--fake-seq-offset` Tunes the offset from original sequence number for fake packets. Used by randseq faking strategy. Defaults to 10000. If 0, random sequence number will be set.
+
 - `--frag={tcp,ip,none}` Specifies the fragmentation strategy for the packet. tcp is used by default. Ip fragmentation may be blocked by DPI system. None specifies no fragmentation. Probably this won't work, but may be will work for some fake sni strategies.
 
 - `--frag-sni-reverse={0|1}` Specifies **youtubeUnblock** to send *ClientHello* fragments in the reverse order. Defaults to **1**.
@@ -152,12 +163,16 @@ Available flags:
 
 - `--frag-middle-sni={0|1}` With this options **youtubeUnblock** will split the packet in the middle of SNI data. Defaults to 1.
 
-- `--frag-sni-pos=<pos>` With this option **youtubeUnblock** will split the packet at the position pos. Defaults to 2.
+- `--frag-sni-pos=<pos>` With this option **youtubeUnblock** will split the packet at the position pos. Defaults to 1.
 
 - `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Suitable for some TVs. Note, that for this option to work you should also add proxy udp to youtubeUnblock in firewall. `connbytes` may also be used with udp.
 
 - `--fk-winsize=<winsize>` Specifies window size for the fragmented TCP packet. Applicable if you want for response to be fragmented. May slowdown connection initialization.
 
+- `--synfake={1|0}` If 1, syn payload will be sent before each request. The idea is taken from syndata from zapret project. Syn payload will normally be discarded by endpoint but may be handled by TSPU. This option sends normal fake in that payload. Please note, that the option works for all the sites, so --sni-domains won't change anything.
+
+- `--synfake-len=<len>` The fake packet sent in synfake may be too large. If you experience issues, lower up synfake-len. where len stands for how much bytes should be sent as syndata. Pass 0 if you want to send an entire fake packet. Defaults to 0
+
 - `--sni-detection={parse|brute}` Specifies how to detect SNI. Parse will normally detect it by parsing the Client Hello message. Brute will go through the entire message and check possibility of SNI occurrence. Please note, that when `--sni-domains` option is not all brute will be O(nm) time complexity where n stands for length of the message and m is number of domains. Defaults to parse.
 
 - `--seg2delay=<delay>` This flag forces **youtubeUnblock** to wait a little bit before send the 2nd part of the split packet.
@@ -168,8 +183,12 @@ Available flags:
 
 - `--no-gso` Disables support for Google Chrome fat packets which uses GSO. This feature is well tested now, so this flag probably won't fix anything.
 
+- `--no-ipv6` Disables support for ipv6. May be useful if you don't want for ipv6 socket to be opened.
+
 - `--threads=<threads number>` Specifies the amount of threads you want to be running for your program. This defaults to **1** and shouldn't be edited for normal use. If you have performance issues, consult [performance chaptr](https://github.com/Waujito/youtubeUnblock?tab=readme-ov-file#performance)
 
+- `--packet-mark=<mark>` Use this option if youtubeUnblock conflicts with other systems rely on packet mark. Note that you may want to change accept rule for iptables to follow the mark.
+
 ## Troubleshooting
 
 If you got troubles with some sites and you sure that they are blocked by SNI (youtube for example), use may play around with [flags](#flags) and their combinations. At first it is recommended to try `--faking-strategy` flag and `--frag-sni-faked=1`.

args.c

@@ -19,7 +19,12 @@ struct config_t config = {
 	.fake_sni = 1,
 	.fake_sni_seq_len = 1,
 	.frag_middle_sni = 1,
-	.frag_sni_pos = 2,
+	.frag_sni_pos = 1,
+	.use_ipv6 = 1,
+	.fakeseq_offset = 10000,
+	.mark = DEFAULT_RAWSOCKET_MARK,
+	.synfake = 0,
+	.synfake_len = 0,
 
 	.sni_detection = SNI_DETECTION_PARSE,
 
@@ -63,21 +68,29 @@ struct config_t config = {
 #define OPT_TRACE		15
 #define OPT_QUIC_DROP		16
 #define OPT_SNI_DETECTION	17
+#define OPT_NO_IPV6		20
+#define OPT_FAKE_SEQ_OFFSET	21
+#define OPT_PACKET_MARK 	22
+#define OPT_SYNFAKE	 	23
+#define OPT_SYNFAKE_LEN	 	24
 #define OPT_SEG2DELAY 		5
 #define OPT_THREADS 		6
 #define OPT_SILENT 		7
 #define OPT_NO_GSO 		8
 #define OPT_QUEUE_NUM		9
 
-#define OPT_MAX OPT_FRAG_SNI_POS
+#define OPT_MAX OPT_SYNFAKE_LEN
 
 static struct option long_opt[] = {
 	{"help",		0, 0, 'h'},
 	{"version",		0, 0, 'v'},
 	{"sni-domains",		1, 0, OPT_SNI_DOMAINS},
 	{"fake-sni",		1, 0, OPT_FAKE_SNI},
+	{"synfake",		1, 0, OPT_SYNFAKE},
+	{"synfake-len",		1, 0, OPT_SYNFAKE_LEN},
 	{"fake-sni-seq-len",	1, 0, OPT_FAKE_SNI_SEQ_LEN},
 	{"faking-strategy",	1, 0, OPT_FAKING_STRATEGY},
+	{"fake-seq-offset",	1, 0, OPT_FAKE_SEQ_OFFSET},
 	{"faking-ttl",		1, 0, OPT_FAKING_TTL},
 	{"frag",		1, 0, OPT_FRAG},
 	{"frag-sni-reverse",	1, 0, OPT_FRAG_SNI_REVERSE},
@@ -92,7 +105,9 @@ static struct option long_opt[] = {
 	{"silent",		0, 0, OPT_SILENT},
 	{"trace",		0, 0, OPT_TRACE},
 	{"no-gso",		0, 0, OPT_NO_GSO},
+	{"no-ipv6",		0, 0, OPT_NO_IPV6},
 	{"queue-num",		1, 0, OPT_QUEUE_NUM},
+	{"packet-mark",		1, 0, OPT_PACKET_MARK},
 	{0,0,0,0}
 };
 
@@ -129,8 +144,11 @@ void print_usage(const char *argv0) {
 	printf("\t--sni-domains=<comma separated domain list>|all\n");
 	printf("\t--fake-sni={1|0}\n");
 	printf("\t--fake-sni-seq-len=<length>\n");
+	printf("\t--fake-seq-offset=<offset>\n");
 	printf("\t--faking-ttl=<ttl>\n");
 	printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq}\n");
+	printf("\t--synfake={1|0}\n");
+	printf("\t--synfake-len=<len>\n");
 	printf("\t--frag={tcp,ip,none}\n");
 	printf("\t--frag-sni-reverse={0|1}\n");
 	printf("\t--frag-sni-faked={0|1}\n");
@@ -141,9 +159,11 @@ void print_usage(const char *argv0) {
 	printf("\t--sni-detection={parse|brute}\n");
 	printf("\t--seg2delay=<delay>\n");
 	printf("\t--threads=<threads number>\n");
+	printf("\t--packet-mark=<mark>\n");
 	printf("\t--silent\n");
 	printf("\t--trace\n");
 	printf("\t--no-gso\n");
+	printf("\t--no-ipv6\n");
 	printf("\n");
 }
 
@@ -169,6 +189,9 @@ int parse_args(int argc, char *argv[]) {
 		case OPT_NO_GSO:
 			config.use_gso = 0;
 			break;
+		case OPT_NO_IPV6:
+			config.use_ipv6 = 0;
+			break;
 		case OPT_QUIC_DROP:
 			config.quic_drop = 1;
 			break;
@@ -262,7 +285,14 @@ int parse_args(int argc, char *argv[]) {
 
 			config.faking_ttl = num;
 			break;
+		case OPT_FAKE_SEQ_OFFSET:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
 
+			config.fakeseq_offset = num;
+			break;
 		case OPT_FAKE_SNI:
 			if (strcmp(optarg, "1") == 0) {
 				config.fake_sni = 1;				
@@ -289,6 +319,24 @@ int parse_args(int argc, char *argv[]) {
 
 			config.fk_winsize = num;
 			break;
+		case OPT_SYNFAKE:
+			if (strcmp(optarg, "1") == 0) {
+				config.synfake = 1;
+			} else if (strcmp(optarg, "0") == 0) {
+				config.synfake = 0;
+			} else {
+				goto invalid_opt;
+			}
+
+			break;
+		case OPT_SYNFAKE_LEN:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.synfake_len = num;
+			break;
 		case OPT_SEG2DELAY:
 			num = parse_numeric_option(optarg);
 			if (errno != 0 || num < 0) {
@@ -313,6 +361,15 @@ int parse_args(int argc, char *argv[]) {
 
 			config.queue_start_num = num;
 			break;
+		case OPT_PACKET_MARK:
+			num = parse_numeric_option(optarg);
+			if (errno != 0 || num < 0) {
+				goto invalid_opt;
+			}
+
+			config.mark = num;
+			break;
+
 		default:
 			goto error;
 		}
@@ -375,6 +432,7 @@ void print_welcome() {
 			break;
 		case FAKE_STRAT_RAND_SEQ:
 			printf("Random seq faking strategy will be used\n");
+			printf("Fake seq offset set to %u\n", config.fakeseq_offset);
 			break;
 		case FAKE_STRAT_TCP_CHECK:
 			printf("TCP checksum faking strategy will be used\n");
@@ -388,11 +446,21 @@ void print_welcome() {
 		printf("Response TCP window will be set to %d with the appropriate scale\n", config.fk_winsize);
 	}
 
+	if (config.synfake) {
+		printf("Fake SYN payload will be sent with each TCP request SYN packet\n");
+	}
+
 
 	if (config.use_gso) {
 		printf("GSO is enabled\n");
 	}
 
+	if (config.use_ipv6) {
+		printf("IPv6 is enabled\n");
+	} else {
+		printf("IPv6 is disabled\n");
+	}
+
 	if (config.quic_drop) {
 		printf("All QUIC packets will be dropped\n");
 	}

config.h

@@ -18,6 +18,7 @@ struct config_t {
 	unsigned int queue_start_num;
 	int threads;
 	int use_gso;
+	int use_ipv6;
 	int fragmentation_strategy;
 	int frag_sni_reverse;
 	int frag_sni_faked;
@@ -43,6 +44,10 @@ struct config_t {
 	const char *fake_sni_pkt;
 	unsigned int fake_sni_pkt_sz;
 	unsigned int fk_winsize;
+	unsigned int fakeseq_offset;
+	unsigned int mark;
+	int synfake;
+	unsigned int synfake_len;
 };
 
 extern struct config_t config;
@@ -69,7 +74,7 @@ extern struct config_t config;
 #define FRAGMENTATION_STRATEGY FRAG_STRAT_TCP
 #endif
 
-#define RAWSOCKET_MARK (1 << 15)
+#define DEFAULT_RAWSOCKET_MARK (1 << 15)
 
 #ifdef USE_SEG2_DELAY
 #define SEG2_DELAY 100
@@ -87,7 +92,7 @@ extern struct config_t config;
 
 
 #ifndef FAKING_STRATEGY
-#define FAKING_STRATEGY FAKE_STRAT_RAND_SEQ
+#define FAKING_STRATEGY FAKE_STRAT_PAST_SEQ
 #endif
 
 #if !defined(SILENT) && !defined(KERNEL_SPACE)

logging.h

@@ -20,12 +20,16 @@
 })
 #endif /* PROGRAM_SPACE */
 
+#define lgdebug(msg, ...) \
+(LOG_LEVEL >= VERBOSE_DEBUG ? printf(msg, ##__VA_ARGS__) : 0)
 
-#define lgdebugmsg(msg, ...) \
-(LOG_LEVEL >= VERBOSE_DEBUG ? printf(msg "\n", ##__VA_ARGS__) : 0)
+#define lgdebugmsg(msg, ...) lgdebug(msg "\n", ##__VA_ARGS__)
 
-#define lgtracemsg(msg, ...) \
-(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg "\n", ##__VA_ARGS__) : 0)
+
+#define lgtrace(msg, ...) \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg, ##__VA_ARGS__) : 0)
+
+#define lgtracemsg(msg, ...) lgtrace(msg "\n", __VA_ARGS__)
 
 #define lgtrace_start(msg, ...) \
 (LOG_LEVEL >= VERBOSE_TRACE ? printf("[TRACE] " msg " ( ", ##__VA_ARGS__) : 0)

mangle.c

@@ -16,23 +16,44 @@ int process_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 	}
 
 	const struct iphdr *iph;
+	const struct ip6_hdr *ip6h;
 	uint32_t iph_len;
 	const uint8_t *ip_payload;
 	uint32_t ip_payload_len;
 
+	int transport_proto = -1;
+	int ipver = netproto_version(raw_payload, raw_payload_len);
 	int ret;
 
-	ret = ip4_payload_split((uint8_t *)raw_payload, raw_payload_len,
+	if (ipver == IP4VERSION) {
+		ret = ip4_payload_split((uint8_t *)raw_payload, raw_payload_len,
 			 (struct iphdr **)&iph, &iph_len, 
 			 (uint8_t **)&ip_payload, &ip_payload_len);
 
+		if (ret < 0)
+			goto accept;
 
-	if (ret < 0) 
+		transport_proto = iph ->protocol;
+
+	} else if (ipver == IP6VERSION && config.use_ipv6) {
+		ret = ip6_payload_split((uint8_t *)raw_payload, raw_payload_len,
+			 (struct ip6_hdr **)&ip6h, &iph_len, 
+			 (uint8_t **)&ip_payload, &ip_payload_len);
+
+		if (ret < 0)
+			goto accept;
+
+		transport_proto = ip6h->ip6_ctlun.ip6_un1.ip6_un1_nxt;
+
+	} else {
+		lgtracemsg("Unknown layer 3 protocol version: %d", ipver);
 		goto accept;
+	}
+
 	
-	switch (iph->protocol) {
+	switch (transport_proto) {
 	case IPPROTO_TCP:
-		return process_tcp4_packet(raw_payload, raw_payload_len);
+		return process_tcp_packet(raw_payload, raw_payload_len);
 	case IPPROTO_UDP:
 		return process_udp4_packet(raw_payload, raw_payload_len);
 	default:
@@ -45,22 +66,69 @@ drop:
 	return PKT_DROP;
 }
 
-int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
-	const struct iphdr *iph;
+int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
+	const void *ipxh;
 	uint32_t iph_len;
 	const struct tcphdr *tcph;
 	uint32_t tcph_len;
 	const uint8_t *data;
 	uint32_t dlen;
 
-	int ret = tcp4_payload_split((uint8_t *)raw_payload, raw_payload_len,
-			      (struct iphdr **)&iph, &iph_len, (struct tcphdr **)&tcph, &tcph_len,
+	int ipxv = netproto_version(raw_payload, raw_payload_len);
+
+	lgtrace_start("TCP");
+	lgtrace_addp("IPv%d", ipxv);
+
+	int ret = tcp_payload_split((uint8_t *)raw_payload, raw_payload_len,
+			      (void *)&ipxh, &iph_len,
+			      (struct tcphdr **)&tcph, &tcph_len,
 			      (uint8_t **)&data, &dlen);
 
+
 	if (ret < 0) {
 		goto accept;
 	}
 
+	if (tcph->syn && config.synfake) {
+		lgtrace_addp("TCP syn alter");
+		uint8_t payload[MAX_PACKET_SIZE];
+		memcpy(payload, ipxh, iph_len);
+		memcpy(payload + iph_len, tcph, tcph_len);
+		uint32_t fake_len = config.fake_sni_pkt_sz;
+
+		if (config.synfake_len) 
+			fake_len = min(config.synfake_len, fake_len);
+
+		memcpy(payload + iph_len + tcph_len, config.fake_sni_pkt, fake_len);
+
+
+		struct tcphdr *tcph = (struct tcphdr *)(payload + iph_len);
+		if (ipxv == IP4VERSION) {
+			struct iphdr *iph = (struct iphdr *)payload;
+			iph->tot_len = htons(iph_len + tcph_len + fake_len);
+			set_ip_checksum(payload, iph_len);
+			set_tcp_checksum(tcph, iph, iph_len);
+		} else if (ipxv == IP6VERSION) {
+			struct ip6_hdr *ip6h = (struct ip6_hdr *)payload;
+			ip6h->ip6_ctlun.ip6_un1.ip6_un1_plen = 
+				ntohs(tcph_len + fake_len);
+			set_ip_checksum(ip6h, iph_len);
+			set_tcp_checksum(tcph, ip6h, iph_len);
+		}
+
+
+
+		ret = instance_config.send_raw_packet(payload, iph_len + tcph_len + fake_len);
+		if (ret < 0) {
+			lgerror("send_syn_altered", ret);
+			goto accept;
+		}
+		lgtrace_addp("rawsocket sent %d", ret);
+		goto drop;
+	}
+
+	if (tcph->syn) goto accept;
+
 	struct tls_verdict vrd = analyze_tls_data(data, dlen);
 
 	if (vrd.target_sni) {
@@ -70,24 +138,28 @@ int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 		uint32_t payload_len = raw_payload_len;
 		memcpy(payload, raw_payload, raw_payload_len);
 
-		struct iphdr *iph;
+		void *iph;
 		uint32_t iph_len;
 		struct tcphdr *tcph;
 		uint32_t tcph_len;
 		uint8_t *data;
 		uint32_t dlen;
 
-		int ret = tcp4_payload_split(payload, payload_len,
+		int ret = tcp_payload_split(payload, payload_len,
 				      &iph, &iph_len, &tcph, &tcph_len,
 				      &data, &dlen);
 
+		if (ret < 0) {
+			lgerror("tcp_payload_split in targ_sni", ret);
+			goto accept;
+		}
+
 		if (config.fk_winsize) {
 			tcph->window = htons(config.fk_winsize);
 		}
 
-		ip4_set_checksum(iph);
-		tcp4_set_checksum(tcph, iph);
-
+		set_ip_checksum(iph, iph_len);
+		set_tcp_checksum(tcph, iph, iph_len);
 		
 		if (dlen > 1480 && config.verbose) {
 			lgdebugmsg("WARNING! Client Hello packet is too big and may cause issues!");
@@ -123,7 +195,7 @@ int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 					poses[1] = tmp;
 				}
 
-				ret = send_tcp4_frags(payload, payload_len, poses, cnt, 0);
+				ret = send_tcp_frags(payload, payload_len, poses, cnt, 0);
 				if (ret < 0) {
 					lgerror("tcp4 send frags", ret);
 					goto accept;
@@ -132,7 +204,8 @@ int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 				goto drop;
 			}
 			break;
-			case FRAG_STRAT_IP: {
+			case FRAG_STRAT_IP: 
+			if (ipxv != IP4VERSION) {
 				ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_offset;
 				mid_offset = ipd_offset + vrd.sni_len / 2;
 				mid_offset += 8 - mid_offset % 8;
@@ -163,8 +236,10 @@ int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 				}
 
 				goto drop;
+				break;
+			} else {
+				printf("WARNING: IP fragmentation is supported only for IPv4\n");	
 			}
-			break;
 			default:
 				ret = instance_config.send_raw_packet(payload, payload_len);
 				if (ret < 0) {
@@ -181,8 +256,14 @@ int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 	}
 
 accept:
+	lgtrace_addp("accept");
+	lgtrace_end();
+
 	return PKT_ACCEPT;
 drop:
+	lgtrace_addp("drop");
+	lgtrace_end();
+
 	return PKT_DROP;
 }
 
@@ -321,7 +402,7 @@ out:
 	return 0;
 }
 
-int send_tcp4_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *poses, uint32_t poses_sz, uint32_t dvs) {
+int send_tcp_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *poses, uint32_t poses_sz, uint32_t dvs) {
 	if (poses_sz == 0) {
 		if (config.seg2_delay && ((dvs > 0) ^ config.frag_sni_reverse)) {
 			if (!instance_config.send_delayed_packet) {
@@ -333,6 +414,7 @@ int send_tcp4_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *pose
 
 			return 0;
 		} else {
+			lgtrace_addp("raw send packet of %d bytes with %d dvs", pktlen, dvs);
 			return instance_config.send_raw_packet(
 				packet, pktlen);
 		}
@@ -350,20 +432,24 @@ int send_tcp4_frags(const uint8_t *packet, uint32_t pktlen, const uint32_t *pose
 			return -EINVAL;
 		}
 
-		ret = tcp4_frag(packet, pktlen, poses[0] - dvs, 
+
+		ret = tcp_frag(packet, pktlen, poses[0] - dvs, 
 			frag1, &f1len, frag2, &f2len);
 
+		lgtrace_addp("Packet split in %d bytes position of payload start, dvs: %d to two packets of %d and %d lengths", poses[0], dvs, f1len, f2len);
+
 		if (ret < 0) {
-			lgerror("send_frags: frag: with context packet with size %d, position: %d, recursive dvs: %d", ret, pktlen, poses[0], dvs);
+			lgerror("send_frags: tcp_frag: with context packet with size %d, position: %d, recursive dvs: %d", ret, pktlen, poses[0], dvs);
 			return ret;
 		}
 
+
 		if (config.frag_sni_reverse)
 			goto send_frag2;
 		
 send_frag1:
 		{
-			ret = send_tcp4_frags(frag1, f1len, NULL, 0, 0);
+			ret = send_tcp_frags(frag1, f1len, NULL, 0, 0);
 			if (ret < 0) {
 				return ret;
 			}
@@ -373,21 +459,28 @@ send_frag1:
 		}
 
 send_fake:
+		// TODO
 		if (config.frag_sni_faked) {
 			uint32_t iphfl, tcphfl;
-			ret = tcp4_payload_split(frag2, f2len, NULL, &iphfl, NULL, &tcphfl, NULL, NULL);
+			ret = tcp_payload_split(frag2, f2len, NULL, &iphfl, NULL, &tcphfl, NULL, NULL);
 			if (ret < 0) {
 				lgerror("Invalid frag2", ret);
 				return ret;
 			}
 			memcpy(fake_pad, frag2, iphfl + tcphfl);
 			memset(fake_pad + iphfl + tcphfl, 0, f2len - iphfl - tcphfl);
-			ret = fail4_packet(fake_pad, f2len);
+			struct tcphdr *fakethdr = (void *)(fake_pad + iphfl);
+			if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+				lgtrace("frag fake sent with %u -> ", ntohl(fakethdr->seq));
+				fakethdr->seq = htonl(ntohl(fakethdr->seq) - dvs);
+				lgtrace_addp("%u, ", ntohl(fakethdr->seq));
+			}
+			ret = fail_packet(fake_pad, f2len);
 			if (ret < 0) {
 				lgerror("Failed to fail packet", ret);
 				return ret;
 			}
-			ret = send_tcp4_frags(fake_pad, f2len, NULL, 0, 0);
+			ret = send_tcp_frags(fake_pad, f2len, NULL, 0, 0);
 			if (ret < 0) {
 				return ret;
 			}
@@ -400,7 +493,7 @@ send_fake:
 send_frag2:
 		{
 			dvs += poses[0];
-			ret = send_tcp4_frags(frag2, f2len, poses + 1, poses_sz - 1, dvs);
+			ret = send_tcp_frags(frag2, f2len, poses + 1, poses_sz - 1, dvs);
 			if (ret < 0) {
 				return ret;
 			}
@@ -413,28 +506,30 @@ out:
 	return 0;
 }
 
-int post_fake_sni(const struct iphdr *iph, unsigned int iph_len, 
+int post_fake_sni(const void *iph, unsigned int iph_len, 
 		     const struct tcphdr *tcph, unsigned int tcph_len,
 		     unsigned char sequence_len) {
-	uint8_t rfsiph[60];
+	uint8_t rfsiph[128];
 	uint8_t rfstcph[60];
 	int ret;
 
 	memcpy(rfsiph, iph, iph_len);
 	memcpy(rfstcph, tcph, tcph_len);
 
-	struct iphdr *fsiph = (void *)rfsiph;
+	void *fsiph = (void *)rfsiph;
 	struct tcphdr *fstcph = (void *)rfstcph;
 
 	for (int i = 0; i < sequence_len; i++) {
 		uint8_t fake_sni[MAX_PACKET_SIZE];
 		uint32_t fsn_len = MAX_PACKET_SIZE;
-		ret = gen_fake_sni(fsiph, fstcph, fake_sni, &fsn_len);
+		ret = gen_fake_sni(fsiph, iph_len, fstcph, tcph_len, 
+		     fake_sni, &fsn_len);
 		if (ret < 0) {
 			lgerror("gen_fake_sni", ret);
 			return ret;
 		}
 
+		lgtrace_addp("post fake sni #%d", i + 1);
 		ret = instance_config.send_raw_packet(fake_sni, fsn_len);
 		if (ret < 0) {
 			lgerror("send fake sni", ret);
@@ -444,9 +539,10 @@ int post_fake_sni(const struct iphdr *iph, unsigned int iph_len,
 		uint32_t iph_len;
 		uint32_t tcph_len;
 		uint32_t plen;
-		tcp4_payload_split(
+		tcp_payload_split(
 			fake_sni, fsn_len, 
-			&fsiph, &iph_len, &fstcph, &tcph_len,
+			&fsiph, &iph_len,
+			&fstcph, &tcph_len,
 			NULL, &plen);
 
 
@@ -692,42 +788,64 @@ brute:
 	goto out;
 }
 
-
-int gen_fake_sni(const struct iphdr *iph, const struct tcphdr *tcph, 
+int gen_fake_sni(const void *ipxh, uint32_t iph_len, 
+		 const struct tcphdr *tcph, uint32_t tcph_len,
 		 uint8_t *buf, uint32_t *buflen) {
 
-	if (!iph || !tcph || !buf || !buflen)
+	if (!ipxh || !tcph || !buf || !buflen)
 		return -EINVAL;
 
-	int ip_len = iph->ihl * 4;
-	int tcph_len = tcph->doff * 4;
+	int ipxv = netproto_version(ipxh, iph_len);
+
+	if (ipxv == IP4VERSION) {
+		const struct iphdr *iph = ipxh;
+
+		memcpy(buf, iph, iph_len);
+		struct iphdr *niph = (struct iphdr *)buf;
+
+		niph->protocol = IPPROTO_TCP;
+	} else if (ipxv == IP6VERSION) {
+		const struct ip6_hdr *iph = ipxh;
+
+		iph_len = sizeof(struct ip6_hdr);
+		memcpy(buf, iph, iph_len);
+		struct ip6_hdr *niph = (struct ip6_hdr *)buf;
+
+		niph->ip6_ctlun.ip6_un1.ip6_un1_nxt = IPPROTO_TCP;
+	} else {
+		return -EINVAL;
+	}
 
 	const char *data = config.fake_sni_pkt;
 	size_t data_len = config.fake_sni_pkt_sz;
 
-	size_t dlen = ip_len + tcph_len + data_len;
+	size_t dlen = iph_len + tcph_len + data_len;
 
 	if (*buflen < dlen) 
 		return -ENOMEM;
 
-	memcpy(buf, iph, ip_len);
-	memcpy(buf + ip_len, tcph, tcph_len);
-	memcpy(buf + ip_len + tcph_len, data, data_len);
+	memcpy(buf + iph_len, tcph, tcph_len);
+	memcpy(buf + iph_len + tcph_len, data, data_len);
 
-	struct iphdr *niph = (struct iphdr *)buf;
-	struct tcphdr *ntcph = (struct tcphdr *)(buf + ip_len);
+	struct tcphdr *ntcph = (struct tcphdr *)(buf + iph_len);
 
-	niph->protocol = IPPROTO_TCP;
-	niph->tot_len = htons(dlen);
+	if (ipxv == IP4VERSION) {
+		struct iphdr *niph = (struct iphdr *)buf;
+		niph->tot_len = htons(dlen);
+	} else if (ipxv == IP6VERSION) {
+		struct ip6_hdr *niph = (struct ip6_hdr *)buf;
+		niph->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(dlen - iph_len);
+	}
 
-	fail4_packet(buf, *buflen);
+	fail_packet(buf, *buflen);
 
 	*buflen = dlen;
+	
 	return 0;
 }
 
-int fail4_packet(uint8_t *payload, uint32_t plen) {
-	struct iphdr *iph;
+int fail_packet(uint8_t *payload, uint32_t plen) {
+	void *iph;
 	uint32_t iph_len;
 	struct tcphdr *tcph;
 	uint32_t tcph_len;
@@ -735,7 +853,7 @@ int fail4_packet(uint8_t *payload, uint32_t plen) {
 	uint32_t dlen;
 	int ret;
 
-	ret = tcp4_payload_split(payload, plen, 
+	ret = tcp_payload_split(payload, plen, 
 			&iph, &iph_len, &tcph, &tcph_len,
 			&data, &dlen);
 
@@ -743,24 +861,46 @@ int fail4_packet(uint8_t *payload, uint32_t plen) {
 		return ret;
 	}
 
+
 	if (config.faking_strategy == FAKE_STRAT_RAND_SEQ) {
+		lgtrace("fake seq: %u -> ", ntohl(tcph->seq));
+
+		if (config.fakeseq_offset) {
+			tcph->seq = htonl(ntohl(tcph->seq) - config.fakeseq_offset);
+		} else {
 #ifdef KERNEL_SCOPE
-		tcph->seq = 124;
-		tcph->ack_seq = 124;
+			tcph->seq = 124;
 #else
-		tcph->seq = random();
-		tcph->ack_seq = random();
+			tcph->seq = random();
 #endif
+
+		}
+
+		lgtrace_addp("%u", ntohl(tcph->seq));
 	} else if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+		lgtrace("fake seq: %u -> ", ntohl(tcph->seq));
 		tcph->seq = htonl(ntohl(tcph->seq) - dlen);
+		lgtrace_addp("%u", ntohl(tcph->seq));
+
 	} else if (config.faking_strategy == FAKE_STRAT_TTL) {
-		iph->ttl = config.faking_ttl;
+		lgtrace_addp("set fake ttl to %d", config.faking_ttl);
+
+		uint32_t ipxv = netproto_version(payload, plen);
+		if (ipxv == IP4VERSION) {
+			((struct iphdr *)iph)->ttl = config.faking_ttl;
+		} else if (ipxv == IP6VERSION) {
+			((struct ip6_hdr *)iph)->ip6_ctlun.ip6_un1.ip6_un1_hlim = config.faking_ttl;
+		} else {
+			lgerror("fail_packet: IP version is unsupported", -EINVAL);
+			return -EINVAL;
+		}
 	}
 
-	ip4_set_checksum(iph);
-	tcp4_set_checksum(tcph, iph);
+	set_ip_checksum(iph, iph_len);
+	set_tcp_checksum(tcph, iph, iph_len);
 
 	if (config.faking_strategy == FAKE_STRAT_TCP_CHECK) {
+		lgtrace_addp("break fake tcp checksum");
 		tcph->check += 1;
 	}
 

mangle.h

@@ -22,14 +22,15 @@ struct tls_verdict analyze_tls_data(const uint8_t *data, uint32_t dlen);
 /**
  * Generates fake client hello message
  */
-int gen_fake_sni(const struct iphdr *iph, const struct tcphdr *tcph, 
+int gen_fake_sni(const void *iph, uint32_t iph_len, 
+		 const struct tcphdr *tcph, uint32_t tcph_len, 
 		 uint8_t *buf, uint32_t *buflen);
 
 /**
  * Invalidates the raw packet. The function aims to invalid the packet
  * in such way as it will be accepted by DPI, but dropped by target server
  */
-int fail4_packet(uint8_t *payload, uint32_t plen);
+int fail_packet(uint8_t *payload, uint32_t plen);
 
 #define PKT_ACCEPT	0
 #define PKT_DROP	1
@@ -45,7 +46,7 @@ int process_packet(const uint8_t *packet, uint32_t packet_len);
  * Processe the TCP packet.
  * Returns verdict.
  */
-int process_tcp4_packet(const uint8_t *raw_payload, uint32_t raw_payload_len);
+int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len);
 
 
 /**
@@ -57,7 +58,7 @@ int process_udp4_packet(const uint8_t *pkt, uint32_t pktlen);
 /**
  * Sends fake client hello.
  */
-int post_fake_sni(const struct iphdr *iph, unsigned int iph_len, 
+int post_fake_sni(const void *iph, unsigned int iph_len, 
 		     const struct tcphdr *tcph, unsigned int tcph_len,
 		     unsigned char sequence_len);
 
@@ -66,7 +67,7 @@ int post_fake_sni(const struct iphdr *iph, unsigned int iph_len,
  * Poses are relative to start of TCP payload.
  * dvs used internally and should be zero.
  */
-int send_tcp4_frags(
+int send_tcp_frags(
 	const uint8_t *packet, uint32_t pktlen, 
 	const uint32_t *poses, uint32_t poses_len, uint32_t dvs);
 

types.h

@@ -41,6 +41,7 @@ typedef __i64	int64_t;
 #define USER_SPACE
 #include <arpa/inet.h>		// IWYU pragma: export
 #include <netinet/ip.h>		// IWYU pragma: export
+#include <netinet/ip6.h>	// IWYU pragma: export
 #include <netinet/tcp.h>	// IWYU pragma: export
 #include <netinet/udp.h>	// IWYU pragma: export
 #endif

uspace.mk

@@ -1,3 +1,6 @@
+#Check for using system libs
+USE_SYS_LIBS := no
+
 #Userspace app makes here
 BUILD_DIR := $(CURDIR)/build
 DEPSDIR := $(BUILD_DIR)/deps
@@ -5,8 +8,14 @@ DEPSDIR := $(BUILD_DIR)/deps
 CC:=gcc
 CCLD:=$(CC)
 LD:=ld
-override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11
-override LDFLAGS += -L$(DEPSDIR)/lib
+
+ifeq ($(USE_SYS_LIBS), no)
+	override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11
+	override LDFLAGS += -L$(DEPSDIR)/lib
+	REQ = $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO)
+else
+	override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -std=gnu11
+endif
 
 LIBNFNETLINK_CFLAGS := -I$(DEPSDIR)/include
 LIBNFNETLINK_LIBS := -L$(DEPSDIR)/lib
@@ -67,11 +76,11 @@ $(LIBNETFILTER_QUEUE): $(LIBNFNETLINK) $(LIBMNL)
 	$(MAKE) -C deps/libnetfilter_queue
 	$(MAKE) install -C deps/libnetfilter_queue
 
-$(APP): $(OBJS) $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO)
+$(APP): $(OBJS) $(REQ)
 	@echo 'CCLD $(APP)'
 	$(CCLD) $(OBJS) -o $(APP) $(LDFLAGS) -lmnl -lnetfilter_queue -lpthread
 
-$(BUILD_DIR)/%.o: %.c $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) config.h
+$(BUILD_DIR)/%.o: %.c $(REQ) config.h
 	@echo 'CC $@'
 	$(CC) -c $(CFLAGS) $(LDFLAGS) $< -o $@
 
@@ -93,8 +102,9 @@ clean:
 
 distclean: clean
 	rm -rf $(BUILD_DIR)
+ifeq ($(USE_SYS_LIBS), no)
 	$(MAKE) distclean -C deps/libnetfilter_queue || true
 	$(MAKE) distclean -C deps/libmnl || true
 	$(MAKE) distclean -C deps/libnfnetlink || true
 	#$(MAKE) distclean -C deps/openssl || true
-
+endif

utils.c

@@ -1,11 +1,13 @@
 #include "utils.h"
 #include "logging.h"
+#include <netinet/in.h>
 
 #ifdef KERNEL_SPACE
 #include <linux/ip.h>
 #else 
 #include <stdlib.h>
 #include <libnetfilter_queue/libnetfilter_queue_ipv4.h>
+#include <libnetfilter_queue/libnetfilter_queue_ipv6.h>
 #include <libnetfilter_queue/libnetfilter_queue_tcp.h>
 #endif
 
@@ -34,6 +36,36 @@ void ip4_set_checksum(struct iphdr *iph)
 #endif
 }
 
+void tcp6_set_checksum(struct tcphdr *tcph, struct ip6_hdr *iph) {
+	uint16_t old_check = ntohs(tcph->check);
+
+	nfq_tcp_compute_checksum_ipv6(tcph, iph);
+}
+
+int set_ip_checksum(void *iph, uint32_t iphb_len) {
+	int ipvx = netproto_version(iph, iphb_len);
+
+	if (ipvx == IP4VERSION) {
+		ip4_set_checksum(iph);
+	} else if (ipvx == IP6VERSION) { // IP6 has no checksums
+	} else 
+		return -1;
+
+	return 0;
+}
+
+int set_tcp_checksum(struct tcphdr *tcph, void *iph, uint32_t iphb_len) {
+	int ipvx = netproto_version(iph, iphb_len);
+
+	if (ipvx == IP4VERSION) {
+		tcp4_set_checksum(tcph, iph);
+	} else if (ipvx == IP6VERSION) {
+		tcp6_set_checksum(tcph, iph);
+	} else 
+		return -1;
+
+	return 0;
+}
 
 int ip4_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct iphdr **iph, uint32_t *iph_len, 
@@ -44,7 +76,7 @@ int ip4_payload_split(uint8_t *pkt, uint32_t buflen,
 	}
 
 	struct iphdr *hdr = (struct iphdr *)pkt;
-	if (hdr->version != IPVERSION) {
+	if (netproto_version(pkt, buflen) != IP4VERSION) {
 		lgerror("ip4_payload_split: ipversion", -EINVAL);
 		return -EINVAL;
 	}
@@ -110,6 +142,97 @@ int tcp4_payload_split(uint8_t *pkt, uint32_t buflen,
 	return 0;
 }
 
+int ip6_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct ip6_hdr **iph, uint32_t *iph_len, 
+		       uint8_t **payload, uint32_t *plen) {
+	if (pkt == NULL || buflen < sizeof(struct ip6_hdr)) {
+		lgerror("ip6_payload_split: pkt|buflen", -EINVAL);
+		return -EINVAL;
+	}
+
+	struct ip6_hdr *hdr = (struct ip6_hdr *)pkt;
+	if (netproto_version(pkt, buflen) != 6) {
+		lgerror("ip6_payload_split: ip6version", -EINVAL);
+		return -EINVAL;
+	}
+
+	uint32_t hdr_len = sizeof(struct ip6_hdr);
+	uint32_t pktlen = ntohs(hdr->ip6_ctlun.ip6_un1.ip6_un1_plen);
+	if (buflen < pktlen) {
+		lgerror("ip6_payload_split: buflen cmp pktlen: %d %d", -EINVAL, buflen, pktlen);
+		return -EINVAL;
+	}
+
+	if (iph) 
+		*iph = hdr;
+	if (iph_len)
+		*iph_len = hdr_len;
+	if (payload)
+		*payload = pkt + hdr_len;
+	if (plen)
+		*plen = pktlen;
+
+	return 0;
+}
+
+int tcp6_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct ip6_hdr **iph, uint32_t *iph_len,
+		       struct tcphdr **tcph, uint32_t *tcph_len,
+		       uint8_t **payload, uint32_t *plen) {
+	struct ip6_hdr *hdr;
+	uint32_t hdr_len;
+	struct tcphdr *thdr;
+	uint32_t thdr_len;
+	
+	uint8_t *tcph_pl;
+	uint32_t tcph_plen;
+
+	if (ip6_payload_split(pkt, buflen, &hdr, &hdr_len, 
+			&tcph_pl, &tcph_plen)){
+		return -EINVAL;
+	}
+
+
+	if (
+		hdr->ip6_ctlun.ip6_un1.ip6_un1_nxt != IPPROTO_TCP || 
+		tcph_plen < sizeof(struct tcphdr)) {
+		return -EINVAL;
+	}
+
+
+	thdr = (struct tcphdr *)(tcph_pl);
+	thdr_len = thdr->doff * 4;
+
+	if (thdr_len > tcph_plen) {
+		return -EINVAL;
+	}
+
+	if (iph) *iph = hdr;
+	if (iph_len) *iph_len = hdr_len;
+	if (tcph) *tcph = thdr;
+	if (tcph_len) *tcph_len = thdr_len;
+	if (payload) *payload = tcph_pl + thdr_len;
+	if (plen) *plen = tcph_plen - thdr_len;
+
+	return 0;
+}
+
+int tcp_payload_split(uint8_t *pkt, uint32_t buflen,
+		      void **iph, uint32_t *iph_len,
+		      struct tcphdr **tcph, uint32_t *tcph_len,
+		      uint8_t **payload, uint32_t *plen) {
+	int netvers = netproto_version(pkt, buflen);
+	if (netvers == IP4VERSION) {
+		return tcp4_payload_split(pkt, buflen, (struct iphdr **)iph, iph_len, tcph, tcph_len, payload, plen);
+	} else if (netvers == IP6VERSION) {
+		return tcp6_payload_split(pkt, buflen, (struct ip6_hdr **)iph, iph_len, tcph, tcph_len, payload, plen);
+	} else {
+		lgerror("Internet Protocol version is unsupported", -EINVAL);
+		return -EINVAL;
+	}
+}
+
+
 int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct iphdr **iph, uint32_t *iph_len,
 		       struct udphdr **udph,
@@ -222,9 +345,6 @@ int ip4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 	f2_hdr->frag_off = htons(f2_frag_off);
 	f2_hdr->tot_len = htons(f2_dlen);
 
-
-	lgdebugmsg("Packet split in portion %u %u", f1_plen, f2_plen);
-
 	ip4_set_checksum(f1_hdr);
 	ip4_set_checksum(f2_hdr);
 
@@ -232,11 +352,12 @@ int ip4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 }
 
 // split packet to two tcp-on-ipv4 segments.
-int tcp4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset, 
+int tcp_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset, 
 			uint8_t *seg1, uint32_t *s1len, 
 			uint8_t *seg2, uint32_t *s2len) {
 
-	struct iphdr *hdr;
+	// struct ip6_hdr *hdr6;
+	void *hdr;
 	uint32_t hdr_len;
 	struct tcphdr *tcph;
 	uint32_t tcph_len;
@@ -247,23 +368,28 @@ int tcp4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 	if (!seg1 || !s1len || !seg2 || !s2len)
 		return -EINVAL;
 
-	if ((ret = tcp4_payload_split((uint8_t *)pkt, buflen,
+	if ((ret = tcp_payload_split((uint8_t *)pkt, buflen,
 				&hdr, &hdr_len,
 				&tcph, &tcph_len,
 				(uint8_t **)&payload, &plen)) < 0) {
-		lgerror("tcp4_frag: tcp4_payload_split", ret);
+		lgerror("tcp_frag: tcp_payload_split", ret);
 
 		return -EINVAL;
 	}
 
+	int ipvx = netproto_version(pkt, buflen);
 
-	if (
-		ntohs(hdr->frag_off) & IP_MF || 
-		ntohs(hdr->frag_off) & IP_OFFMASK) {
-		lgdebugmsg("tcp4_frag: frag value: %d",
-			ntohs(hdr->frag_off));
-		lgerror("tcp4_frag: ip fragmentation is set", -EINVAL);
-		return -EINVAL;
+
+	if (ipvx == IP4VERSION) {
+		struct iphdr *iphdr = hdr;
+		if (
+			ntohs(iphdr->frag_off) & IP_MF || 
+			ntohs(iphdr->frag_off) & IP_OFFMASK) {
+			lgdebugmsg("tcp_frag: ip4: frag value: %d",
+				ntohs(iphdr->frag_off));
+			lgerror("tcp_frag: ip4: ip fragmentation is set", -EINVAL);
+			return -EINVAL;
+		}
 	}
 
 
@@ -292,21 +418,25 @@ int tcp4_frag(const uint8_t *pkt, uint32_t buflen, uint32_t payload_offset,
 	memcpy(seg1 + hdr_len + tcph_len, payload, s1_plen);
 	memcpy(seg2 + hdr_len + tcph_len, payload + payload_offset, s2_plen);
 
-	struct iphdr *s1_hdr = (void *)seg1;
-	struct iphdr *s2_hdr = (void *)seg2;
+	if (ipvx == IP4VERSION) {
+		struct iphdr *s1_hdr = (void *)seg1;
+		struct iphdr *s2_hdr = (void *)seg2;
+		s1_hdr->tot_len = htons(s1_dlen);
+		s2_hdr->tot_len = htons(s2_dlen);
+	} else {
+		struct ip6_hdr *s1_hdr = (void *)seg1;
+		struct ip6_hdr *s2_hdr = (void *)seg2;
+		s1_hdr->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(s1_dlen - hdr_len);
+		s2_hdr->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(s2_dlen - hdr_len);
+	}
 
 	struct tcphdr *s1_tcph = (void *)(seg1 + hdr_len);
 	struct tcphdr *s2_tcph = (void *)(seg2 + hdr_len);
-
-	s1_hdr->tot_len = htons(s1_dlen);
-	s2_hdr->tot_len = htons(s2_dlen);
-
+	
 	s2_tcph->seq = htonl(ntohl(s2_tcph->seq) + payload_offset);
 
-	lgdebugmsg("Packet split in portion %u %u", s1_plen, s2_plen);
-
-	tcp4_set_checksum(s1_tcph, s1_hdr);
-	tcp4_set_checksum(s2_tcph, s2_hdr);
+	set_tcp_checksum(s1_tcph, seg1, hdr_len);
+	set_tcp_checksum(s2_tcph, seg2, hdr_len);
 
 	return 0;
 }

utils.h

@@ -3,6 +3,9 @@
 
 #include "types.h"
 
+#define IP4VERSION 4
+#define IP6VERSION 6
+
 /**
  * Splits the packet to two IP fragments on position payload_offset.
  * payload_offset indicates the position relatively to start of IP payload
@@ -17,11 +20,16 @@ int ip4_frag(const uint8_t *pkt, uint32_t pktlen,
  * Splits the packet to two TCP segments on position payload_offset
  * payload_offset indicates the position relatively to start of TCP payload.
  */
-int tcp4_frag(const uint8_t *pkt, uint32_t pktlen, 
-			uint32_t payload_offset, 
+// int tcp4_frag(const uint8_t *pkt, uint32_t pktlen, 
+// 			uint32_t payload_offset, 
+// 			uint8_t *seg1, uint32_t *s1len, 
+// 			uint8_t *seg2, uint32_t *s2len);
+int tcp_frag(const uint8_t *pkt, uint32_t pktlen,
+			uint32_t payload_offset,
 			uint8_t *seg1, uint32_t *s1len, 
 			uint8_t *seg2, uint32_t *s2len);
 
+
 /**
  * Splits the raw packet payload to ip header and ip payload.
  */
@@ -29,6 +37,14 @@ int ip4_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct iphdr **iph, uint32_t *iph_len, 
 		       uint8_t **payload, uint32_t *plen);
 
+static inline int netproto_version(const uint8_t *pkt, uint32_t buflen) {
+	if (pkt == NULL || buflen == 0)
+		return -1;
+
+	return (*pkt) >> 4;
+}
+
+
 /**
  * Splits the raw packet payload to ip header, tcp header and tcp payload.
  */
@@ -37,6 +53,26 @@ int tcp4_payload_split(uint8_t *pkt, uint32_t buflen,
 		       struct tcphdr **tcph, uint32_t *tcph_len,
 		       uint8_t **payload, uint32_t *plen);
 
+/**
+ * Splits the raw packet payload to ip header and ip payload.
+ */
+int ip6_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct ip6_hdr **iph, uint32_t *iph_len, 
+		       uint8_t **payload, uint32_t *plen);
+
+/**
+ * Splits the raw packet payload to ip header, tcp header and tcp payload.
+ */
+int tcp6_payload_split(uint8_t *pkt, uint32_t buflen,
+		       struct ip6_hdr **iph, uint32_t *iph_len,
+		       struct tcphdr **tcph, uint32_t *tcph_len,
+		       uint8_t **payload, uint32_t *plen);
+
+int tcp_payload_split(uint8_t *pkt, uint32_t buflen,
+		      void **iph, uint32_t *iph_len,
+		      struct tcphdr **tcph, uint32_t *tcph_len,
+		      uint8_t **payload, uint32_t *plen);
+
 /**
  * Splits the raw packet payload to ip header, udp header and udp payload.
  */
@@ -47,5 +83,10 @@ int udp4_payload_split(uint8_t *pkt, uint32_t buflen,
 
 void tcp4_set_checksum(struct tcphdr *tcph, struct iphdr *iph);
 void ip4_set_checksum(struct iphdr *iph);
+void ip6_set_checksum(struct ip6_hdr *iph);
+void tcp6_set_checksum(struct tcphdr *tcph, struct ip6_hdr *iph);
+
+int  set_ip_checksum(void *iph, uint32_t iphb_len);
+int  set_tcp_checksum(struct tcphdr *tcph, void *iph, uint32_t iphb_len);
 
 #endif /* UTILS_H */

youtubeUnblock.c

@@ -37,6 +37,9 @@
 pthread_mutex_t rawsocket_lock;
 int rawsocket = -2;
 
+pthread_mutex_t raw6socket_lock;
+int raw6socket = -2;
+
 static int open_socket(struct mnl_socket **_nl) {
 	struct mnl_socket *nl = NULL;
 	nl = mnl_socket_open(NETLINK_NETFILTER);
@@ -84,7 +87,7 @@ static int open_raw_socket(void) {
 		return -1;
 	}
 
-	int mark = RAWSOCKET_MARK;
+	int mark = config.mark;
 	if (setsockopt(rawsocket, SOL_SOCKET, SO_MARK, &mark, sizeof(mark)) < 0)
 	{
 		fprintf(stderr, "setsockopt(SO_MARK, %d) failed\n", mark);
@@ -123,6 +126,134 @@ static int close_raw_socket(void) {
 	return 0;
 }
 
+static int open_raw6_socket(void) {
+	if (raw6socket != -2) {
+		errno = EALREADY;
+		perror("Raw socket is already opened");
+		return -1;
+	}
+	
+	raw6socket = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
+	if (rawsocket == -1) {
+		perror("Unable to create raw socket");
+		return -1;
+	}
+
+	int mark = config.mark;
+	if (setsockopt(raw6socket, SOL_SOCKET, SO_MARK, &mark, sizeof(mark)) < 0)
+	{
+		fprintf(stderr, "setsockopt(SO_MARK, %d) failed\n", mark);
+		return -1;
+	}
+
+	int mst = pthread_mutex_init(&raw6socket_lock, NULL);
+	if (mst) {
+		fprintf(stderr, "Mutex err: %d\n", mst);
+		close(raw6socket);
+		errno = mst;
+
+		return -1;
+	}
+
+
+	return raw6socket;
+}
+
+static int close_raw6_socket(void) {
+	if (raw6socket < 0) {
+		errno = EALREADY;
+		perror("Raw socket is not set");
+		return -1;
+	}
+
+	if (close(raw6socket)) {
+		perror("Unable to close raw socket");
+		pthread_mutex_destroy(&rawsocket_lock);
+		return -1;
+	}
+
+	pthread_mutex_destroy(&raw6socket_lock);
+
+	raw6socket = -2;
+	return 0;
+}
+
+static int send_raw_ipv4(const uint8_t *pkt, uint32_t pktlen) {
+	int ret;
+	if (pktlen > AVAILABLE_MTU) return -ENOMEM;
+
+	struct iphdr *iph;
+
+	if ((ret = ip4_payload_split(
+	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
+		errno = -ret;
+		return ret;
+	}
+
+	struct sockaddr_in daddr = {
+		.sin_family = AF_INET,
+		/* Always 0 for raw socket */
+		.sin_port = 0,
+		.sin_addr = {
+			.s_addr = iph->daddr
+		}
+	};
+
+	if (config.threads != 1)
+		pthread_mutex_lock(&rawsocket_lock);
+
+	int sent = sendto(rawsocket, 
+	    pkt, pktlen, 0, 
+	    (struct sockaddr *)&daddr, sizeof(daddr));
+
+	if (config.threads != 1)
+		pthread_mutex_unlock(&rawsocket_lock);
+
+	/* The function will return -errno on error as well as errno value set itself */
+	if (sent < 0) sent = -errno;
+
+	return sent;
+}
+
+static int send_raw_ipv6(const uint8_t *pkt, uint32_t pktlen) {
+	int ret;
+	if (pktlen > AVAILABLE_MTU) return -ENOMEM;
+
+	struct ip6_hdr *iph;
+
+	if ((ret = ip6_payload_split(
+	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
+		errno = -ret;
+		return ret;
+	}
+
+	struct sockaddr_in6 daddr = {
+		.sin6_family = AF_INET6,
+		/* Always 0 for raw socket */
+		.sin6_port = 0,
+		.sin6_addr = iph->ip6_dst
+	};
+
+	tcp6_set_checksum((void *)(uint8_t *)pkt + sizeof(struct ip6_hdr), (void *)pkt);
+
+
+	if (config.threads != 1)
+		pthread_mutex_lock(&rawsocket_lock);
+
+	int sent = sendto(raw6socket, 
+	    pkt, pktlen, 0, 
+	    (struct sockaddr *)&daddr, sizeof(daddr));
+
+	lgtrace_addp("rawsocket sent %d", sent);
+
+	if (config.threads != 1)
+		pthread_mutex_unlock(&rawsocket_lock);
+
+	/* The function will return -errno on error as well as errno value set itself */
+	if (sent < 0) sent = -errno;
+
+	return sent;
+}
 
 static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 	int ret;
@@ -138,7 +269,7 @@ static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 
 		switch (config.fragmentation_strategy) {
 			case FRAG_STRAT_TCP:
-				if ((ret = tcp4_frag(pkt, pktlen, AVAILABLE_MTU-128,
+				if ((ret = tcp_frag(pkt, pktlen, AVAILABLE_MTU-128,
 					buff1, &buff1_size, buff2, &buff2_size)) < 0) {
 
 					errno = -ret;
@@ -175,39 +306,16 @@ static int send_raw_socket(const uint8_t *pkt, uint32_t pktlen) {
 
 		return sent;
 	}
+	
+	int ipvx = netproto_version(pkt, pktlen);
 
+	if (ipvx == IP4VERSION) 
+		return send_raw_ipv4(pkt, pktlen);
+	else if (ipvx == IP6VERSION) 
+		return send_raw_ipv6(pkt, pktlen);
 
-	struct iphdr *iph;
-
-	if ((ret = ip4_payload_split(
-	(uint8_t *)pkt, pktlen, &iph, NULL, NULL, NULL)) < 0) {
-		errno = -ret;
-		return ret;
-	}
-
-	struct sockaddr_in daddr = {
-		.sin_family = AF_INET,
-		/* Always 0 for raw socket */
-		.sin_port = 0,
-		.sin_addr = {
-			.s_addr = iph->daddr
-		}
-	};
-
-	if (config.threads != 1)
-		pthread_mutex_lock(&rawsocket_lock);
-
-	int sent = sendto(rawsocket, 
-	    pkt, pktlen, 0, 
-	    (struct sockaddr *)&daddr, sizeof(daddr));
-
-	if (config.threads != 1)
-		pthread_mutex_unlock(&rawsocket_lock);
-
-	/* The function will return -errno on error as well as errno value set itself */
-	if (sent < 0) sent = -errno;
-
-	return sent;
+	printf("proto version %d is unsupported\n", ipvx);
+	return -EINVAL;
 }
 
 
@@ -316,8 +424,8 @@ static int queue_cb(const struct nlmsghdr *nlh, void *data) {
 
 	if (attr[NFQA_MARK] != NULL) {
 		// Skip packets sent by rawsocket to escape infinity loop.
-		if ((ntohl(mnl_attr_get_u32(attr[NFQA_MARK])) & RAWSOCKET_MARK) == 
-			RAWSOCKET_MARK) {
+		if ((ntohl(mnl_attr_get_u32(attr[NFQA_MARK])) & config.mark) == 
+			config.mark) {
 			return fallback_accept_packet(packet.id, *qdata);
 		}
 	}
@@ -471,6 +579,14 @@ int main(int argc, char *argv[]) {
 		exit(EXIT_FAILURE);
 	}
 
+	if (config.use_ipv6) {
+		if (open_raw6_socket() < 0) {
+			perror("Unable to open raw socket for ipv6");
+			close_raw_socket();
+			exit(EXIT_FAILURE);
+		}
+	}
+
 	struct queue_res *qres = &defqres;
 
 	if (config.threads == 1) {
@@ -503,10 +619,9 @@ int main(int argc, char *argv[]) {
 		}
 	}
 
-	if (close_raw_socket() < 0) {
-		perror("Unable to close raw socket");
-		exit(EXIT_FAILURE);
-	}
+	close_raw_socket();
+	if (config.use_ipv6)
+		close_raw6_socket();
 
 	return -qres->status;
 }