Merge branch 'main' into ipv6

README.md

@@ -25,7 +25,7 @@ Bypasses Deep Packet Inspection (DPI) systems that relies on SNI. The package is
 
 The program was primarily developed to bypass YouTube Outage in Russia, but it works good with other websites blocked by SNI. Adjust the list of websites via `--sni-domains` flag for the program.
 
-The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml). If you haven't access to Github Actions, the program offers [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous) which follows the latest commit in main branch with binaries included as assets. On OpenWRT you can check the architecture of your device with command `grep ARCH /etc/openwrt_release`.
+The program is compatible with routers based on OpenWRT, Entware(Keenetic/ASUS) and host machines. The program offers binaries via Github Actions. The binaries of main branch are published in the [development pre-release](https://github.com/Waujito/youtubeUnblock/releases/tag/continuous). Check out [Github Actions](https://github.com/Waujito/youtubeUnblock/actions/workflows/build-ci.yml) if you want to see all the binaries compiled ever. You should know the arcitecture of your hardware to use binaries. On OpenWRT you can check it with command `grep ARCH /etc/openwrt_release`.
 
 On both OpenWRT and Entware install the program with opkg. If you got read-only filesystem error you may unpack the binary manually or specify opkg path `opkg -o <destdir>`.
 
@@ -126,6 +126,8 @@ curl -o/dev/null -k --connect-to ::google.com -k -L -H Host:\ mirror.gcr.io http
 
 ## Flags
 
+Put flags to the **BINARY**, not an init script. If you are on OpenWRT you should put the flags inside the script: open `/etc/init.d/youtubeUnblock` with any text editor, like vi or nano and put your flags after `procd_set_param command /usr/bin/youtubeUnblock` line.
+
 Available flags:
 
 - `--sni-domains=<comma separated domain list>|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults is `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled.

config.h

@@ -87,7 +87,7 @@ extern struct config_t config;
 
 
 #ifndef FAKING_STRATEGY
-#define FAKING_STRATEGY FAKE_STRAT_RAND_SEQ
+#define FAKING_STRATEGY FAKE_STRAT_PAST_SEQ
 #endif
 
 #if !defined(SILENT) && !defined(KERNEL_SPACE)

logging.h

@@ -25,8 +25,11 @@
 
 #define lgdebugmsg(msg, ...) lgdebug(msg "\n", ##__VA_ARGS__)
 
-#define lgtracemsg(msg, ...) \
+
-(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg "\n", ##__VA_ARGS__) : 0)
+#define lgtrace(msg, ...) \
+(LOG_LEVEL >= VERBOSE_TRACE ? printf(msg, ##__VA_ARGS__) : 0)
+
+#define lgtracemsg(msg, ...) lgtrace(msg "\n", __VA_ARGS__)
 
 #define lgtrace_start(msg, ...) \
 (LOG_LEVEL >= VERBOSE_TRACE ? printf("[TRACE] " msg " ( ", ##__VA_ARGS__) : 0)

mangle.c

@@ -427,6 +427,12 @@ send_fake:
 			}
 			memcpy(fake_pad, frag2, iphfl + tcphfl);
 			memset(fake_pad + iphfl + tcphfl, 0, f2len - iphfl - tcphfl);
+			struct tcphdr *fakethdr = (void *)(fake_pad + iphfl);
+			if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+				lgtrace("frag fake sent with %d -> ", ntohl(fakethdr->seq));
+				fakethdr->seq = htonl(ntohl(fakethdr->seq) - dvs);
+				lgtrace_addp("%d, ", ntohl(fakethdr->seq));
+			}
 			ret = fail_packet(fake_pad, f2len);
 			if (ret < 0) {
 				lgerror("Failed to fail packet", ret);
@@ -823,7 +829,10 @@ int fail_packet(uint8_t *payload, uint32_t plen) {
 		tcph->ack_seq = random();
 #endif
 	} else if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+		lgtrace("fake sent with %d -> ", ntohl(tcph->seq));
 		tcph->seq = htonl(ntohl(tcph->seq) - dlen);
+		lgtrace_addp("%d", ntohl(tcph->seq));
+
 	} else if (config.faking_strategy == FAKE_STRAT_TTL) {
 		uint32_t ipxv = netproto_version(payload, plen);
 		if (ipxv == IP4VERSION) {

owrt/537-youtubeUnblock.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 # This file install nftables rules for openwrt
 
-insert rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass
+add rule inet fw4 mangle_forward tcp dport 443 ct original packets < 20 counter queue num 537 bypass
 insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept

uspace.mk

@@ -1,3 +1,6 @@
+#Check for using system libs
+USE_SYS_LIBS := no
+
 #Userspace app makes here
 BUILD_DIR := $(CURDIR)/build
 DEPSDIR := $(BUILD_DIR)/deps
@@ -5,8 +8,14 @@ DEPSDIR := $(BUILD_DIR)/deps
 CC:=gcc
 CCLD:=$(CC)
 LD:=ld
-override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11
+
-override LDFLAGS += -L$(DEPSDIR)/lib
+ifeq ($(USE_SYS_LIBS), no)
+	override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -I$(DEPSDIR)/include -std=gnu11
+	override LDFLAGS += -L$(DEPSDIR)/lib
+	REQ = $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO)
+else
+	override CFLAGS += -Wall -Wpedantic -Wno-unused-variable -std=gnu11
+endif
 
 LIBNFNETLINK_CFLAGS := -I$(DEPSDIR)/include
 LIBNFNETLINK_LIBS := -L$(DEPSDIR)/lib
@@ -67,11 +76,11 @@ $(LIBNETFILTER_QUEUE): $(LIBNFNETLINK) $(LIBMNL)
 	$(MAKE) -C deps/libnetfilter_queue
 	$(MAKE) install -C deps/libnetfilter_queue
 
-$(APP): $(OBJS) $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO)
+$(APP): $(OBJS) $(REQ)
 	@echo 'CCLD $(APP)'
 	$(CCLD) $(OBJS) -o $(APP) $(LDFLAGS) -lmnl -lnetfilter_queue -lpthread
 
-$(BUILD_DIR)/%.o: %.c $(LIBNETFILTER_QUEUE) $(LIBMNL) $(LIBCRYPTO) config.h
+$(BUILD_DIR)/%.o: %.c $(REQ) config.h
 	@echo 'CC $@'
 	$(CC) -c $(CFLAGS) $(LDFLAGS) $< -o $@
 
@@ -93,8 +102,9 @@ clean:
 
 distclean: clean
 	rm -rf $(BUILD_DIR)
+ifeq ($(USE_SYS_LIBS), no)
 	$(MAKE) distclean -C deps/libnetfilter_queue || true
 	$(MAKE) distclean -C deps/libmnl || true
 	$(MAKE) distclean -C deps/libnfnetlink || true
 	#$(MAKE) distclean -C deps/openssl || true
-
+endif