diff --git a/Makefile b/Makefile index 90e26f9..00e3feb 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=UA2F -PKG_VERSION:=3.2 +PKG_VERSION:=3.3 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/README.md b/README.md index 9ae5f5e..2f65d2d 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,9 @@ iptables -t mangle -A ua2f -d 127.0.0.0/8 -j RETURN iptables -t mangle -A ua2f -d 192.168.0.0/16 -j RETURN # 不处理流向保留地址的包 iptables -t mangle -A ua2f -p tcp --dport 443 -j RETURN iptables -t mangle -A ua2f -p tcp --dport 22 -j RETURN # 不处理 SSH 和 https -iptables -t mangle -A ua2f -p tcp --dport 80 -j CONNMARK --set-mark 24 +iptables -t mangle -A ua2f -p tcp --dport 80 -j CONNMARK --set-mark 54 +iptables -t mangle -A ua2f -m connmark --mark 53 -j RETURN # 不处理标记为非 http 的流 (实验性) iptables -t mangle -A ua2f -m set --set nohttp dst,dst -j RETURN -iptables -t mangle -A ua2f -m connmark --mark 23 -j RETURN # 不处理标记为非 http 的流 (实验性) iptables -t mangle -A ua2f -j NFQUEUE --queue-num 10010 iptables -t mangle -A FORWARD -p tcp -m conntrack --ctdir ORIGINAL -j ua2f diff --git a/src/ua2f.c b/src/ua2f.c index 6db5439..e2193b1 100644 --- a/src/ua2f.c +++ b/src/ua2f.c @@ -75,40 +75,6 @@ static int parse_attrs(const struct nlattr *attr, void *data) { return MNL_CB_OK; } -// static bool http_sign_check(bool firstcheck, unsigned int tcplen, unsigned char *tcppayload); - -//static int probe_http_method(const char *p, const char *opt) { -// return !strncmp(p, opt, strlen(opt)); -//} -// -//static bool http_judge(char *tcppayload, unsigned int tcplen) { -// -// if (tcplen <= 12) { -// return false; -// } -// -// if (memmem(tcppayload, tcplen, "HTTP", 4)) { -// return true; -// } -// -//#define PROBE_HTTP_METHOD(option) if(probe_http_method(tcppayload, option)) {http1_0count++; return true;} -// -// /* Otherwise it could be HTTP/1.0 without version: check if it's got an -// * HTTP method (RFC2616 5.1.1) */ -// PROBE_HTTP_METHOD("GET ") -// PROBE_HTTP_METHOD("POST ") -// PROBE_HTTP_METHOD("OPTIONS ") -// PROBE_HTTP_METHOD("HEAD ") -// PROBE_HTTP_METHOD("PUT ") -// PROBE_HTTP_METHOD("DELETE ") -// PROBE_HTTP_METHOD("TRACE ") -// PROBE_HTTP_METHOD("CONNECT ") -// -//#undef PROBE_HTTP_METHOD -// -// return false; -//} - static void nfq_send_verdict(int queue_num, uint32_t id, struct pkt_buff *pktb, uint32_t mark, bool noUA, char addcmd[50]) { // http mark = 24, ukn mark = 16-20, no http mark = 23 @@ -139,17 +105,17 @@ nfq_send_verdict(int queue_num, uint32_t id, struct pkt_buff *pktb, uint32_t mar mnl_attr_nest_end(nlh, nest); } - if (mark >= 16 && mark <= 20) { + if (mark >= 16 && mark <= 40) { setmark = mark + 1; nest = mnl_attr_nest_start(nlh, NFQA_CT); mnl_attr_put_u32(nlh, CTA_MARK, htonl(setmark)); mnl_attr_nest_end(nlh, nest); } - if (mark == 21) { // 21 统计确定此连接为非http连接 + if (mark == 41) { // 21 统计确定此连接为不含UA连接 nest = mnl_attr_nest_start(nlh, NFQA_CT); - mnl_attr_put_u32(nlh, CTA_MARK, htonl(23)); + mnl_attr_put_u32(nlh, CTA_MARK, htonl(43)); mnl_attr_nest_end(nlh, nest); // 加 CONNMARK ipset_parse_line(Pipset, addcmd); //加 ipset 标记 @@ -157,9 +123,9 @@ nfq_send_verdict(int queue_num, uint32_t id, struct pkt_buff *pktb, uint32_t mar noUAmark++; } } else { - if (mark != 24) { + if (mark != 44) { nest = mnl_attr_nest_start(nlh, NFQA_CT); - mnl_attr_put_u32(nlh, CTA_MARK, htonl(24)); + mnl_attr_put_u32(nlh, CTA_MARK, htonl(44)); mnl_attr_nest_end(nlh, nest); UAmark++; }