Add support for tcp_check and past sequence faking strategies

2024-12-22 06:15:31 +00:00 · 2024-08-16 22:47:55 +03:00 · 2024-08-16 22:47:55 +03:00 · a546e783c6
commit a546e783c6
parent 1c5d4e68d9
4 changed files with 41 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -136,7 +136,11 @@ Available flags:

 - `--fake-sni-seq-len=<length>` This flag specifies **youtubeUnblock** to build a complicated construction of fake client hello packets. length determines how much fakes will be sent. Defaults to **1**.

- `--faking-strategy={ack,ttl}` This flag determines the strategy of fake packets invalidation. `ack` specifies that random sequence/acknowledgemend random will be set. These options may be handled by provider which uses *conntrack* with drop on invalid *conntrack* state firewall rule enabled. `ttl` specifies that packet will be invalidated after `--faking-ttl=n` hops. `ttl` is better but may cause issues if unconfigured. Defaults to `ack`
+- `--faking-strategy={randseq|ttl|tcp_check|pastseq}` This flag determines the strategy of fake packets invalidation. Defaults to `randseq`
+  - `randseq` specifies that random sequence/acknowledgemend random will be set. This option may be handled by provider which uses *conntrack* with drop on invalid *conntrack* state firewall rule enabled. 
+  - `ttl` specifies that packet will be invalidated after `--faking-ttl=n` hops. `ttl` is better but may cause issues if unconfigured. 
+  - `pastseq` is like `randseq` but sequence number is not random but references the packet sent in the past (before current).
+  - `tcp_check` will invalidate faking packet with invalid checksum. May be handled and dropped by some providers/TSPUs.

 - `--faking-ttl=<ttl>` Tunes the time to live (TTL) of fake SNI messages. TTL is specified like that the packet will go through the DPI system and captured by it, but will not reach the destination server. Defaults to **8**.

@ -146,7 +150,7 @@ Available flags:

 - `--frag-sni-faked={0|1}` Specifies **youtubeUnblock** to send fake packets near *ClientHello* (fills payload with zeroes). Defaults to **0**.

- `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Suitable for some TVs.
+- `--quic-drop` Drop all QUIC packets which goes to youtubeUnblock. Won't affect any other UDP packets. Suitable for some TVs. Note, that for this option to work you should also add proxy udp to youtubeUnblock in firewall. `connbytes` may also be used with udp.

 - `--fk-winsize=<winsize>` Specifies window size for the fragmented TCP packet. Applicable if you want for response to be fragmented. May slowdown connection initialization.

@ -172,19 +176,23 @@ If your browser is using QUIC it may not work properly. Disable it in Chrome in

 ### TV

-Televisions are the biggest headache. Some users report that disabling QUIC + `--sni-domains=all` may work. To disable QUIC you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration:
+Televisions are the biggest headache. 
+
+In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. 
+
+If you have troubles with televisions try `--faking-strategy=ttl` flag and play around with `--faking-ttl=n`. See [#flags](#flags) for more details. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration:

 For **nftables** do
 ```
-nft insert rule inet fw4 forward udp dport 443 counter drop
+nft insert rule inet fw4 forward ip saddr 192.168.. udp dport 443 counter drop
 ```

 For **iptables**
 ```
-iptables -I OUTPUT -p udp --dport 443 -j DROP
+iptables -I OUTPUT --src 192.168.. -p udp --dport 443 -j DROP
 ```

-Note that these rules may **break the stability of internet** so use them carefully and **only if** --quic-drop doesn't work.
+Where you have to replace 192.168.. with ip of your television.

 ### Troubleshooting EPERMS (Operation not permitted)

--- a/args.c
+++ b/args.c
@ -124,7 +124,7 @@ void print_usage(const char *argv0) {
 	printf("\t--fake-sni={1|0}\n");
 	printf("\t--fake-sni-seq-len=<length>\n");
 	printf("\t--faking-ttl=<ttl>\n");
-	printf("\t--faking-strategy={ack,ttl}\n");
+	printf("\t--faking-strategy={randseq|ttl|tcp_check|pastseq}\n");
 	printf("\t--frag={tcp,ip,none}\n");
 	printf("\t--frag-sni-reverse={0|1}\n");
 	printf("\t--frag-sni-faked={0|1}\n");
@ -215,10 +215,14 @@ int parse_args(int argc, char *argv[]) {

 			break;
 		case OPT_FAKING_STRATEGY:
-			if (strcmp(optarg, "ack") == 0) {
-				config.faking_strategy = FAKE_STRAT_ACK_SEQ;
+			if (strcmp(optarg, "randseq") == 0) {
+				config.faking_strategy = FAKE_STRAT_RAND_SEQ;
 			} else if (strcmp(optarg, "ttl") == 0) {
 				config.faking_strategy = FAKE_STRAT_TTL;
+			} else if (strcmp(optarg, "tcp_check") == 0) {
+				config.faking_strategy = FAKE_STRAT_TCP_CHECK;
+			} else if (strcmp(optarg, "pastseq") == 0) {
+				config.faking_strategy = FAKE_STRAT_PAST_SEQ;
 			} else {
 				goto invalid_opt;
 			}
@ -343,8 +347,14 @@ void print_welcome() {
 		case FAKE_STRAT_TTL:
 			printf("TTL faking strategy will be used with TTL %d\n", config.faking_ttl);
 			break;
-		case FAKE_STRAT_ACK_SEQ:
-			printf("Ack-Seq faking strategy will be used\n");
+		case FAKE_STRAT_RAND_SEQ:
+			printf("Random seq faking strategy will be used\n");
+			break;
+		case FAKE_STRAT_TCP_CHECK:
+			printf("TCP checksum faking strategy will be used\n");
+			break;
+		case FAKE_STRAT_PAST_SEQ:
+			printf("Past seq faking strategy will be used\n");
 			break;
 	}

--- a/config.h
+++ b/config.h
@ -76,14 +76,16 @@ extern struct config_t config;
 #define FAKE_TTL 8

 // Will invalidate fake packets by out-of-ack_seq out-of-seq request
-#define FAKE_STRAT_ACK_SEQ 1
+#define FAKE_STRAT_RAND_SEQ	1
 // Will assume that GGC server is located further than FAKE_TTL
 // Thus, Fake packet will be eliminated automatically.
-#define FAKE_STRAT_TTL 2
+#define FAKE_STRAT_TTL		2
+#define FAKE_STRAT_PAST_SEQ	3
+#define FAKE_STRAT_TCP_CHECK	4


 #ifndef FAKING_STRATEGY
-#define FAKING_STRATEGY FAKE_STRAT_ACK_SEQ
+#define FAKING_STRATEGY FAKE_STRAT_RAND_SEQ
 #endif

 #if !defined(SILENT) && !defined(KERNEL_SPACE)
--- a/mangle.c
+++ b/mangle.c
@ -710,7 +710,7 @@ int fail4_packet(uint8_t *payload, uint32_t plen) {
 		return ret;
 	}

-	if (config.faking_strategy == FAKE_STRAT_ACK_SEQ) {
+	if (config.faking_strategy == FAKE_STRAT_RAND_SEQ) {
 #ifdef KERNEL_SCOPE
 		tcph->seq = 124;
 		tcph->ack_seq = 124;
@ -718,6 +718,8 @@ int fail4_packet(uint8_t *payload, uint32_t plen) {
 		tcph->seq = random();
 		tcph->ack_seq = random();
 #endif
+	} else if (config.faking_strategy == FAKE_STRAT_PAST_SEQ) {
+		tcph->seq = htonl(ntohl(tcph->seq) - dlen);
 	} else if (config.faking_strategy == FAKE_STRAT_TTL) {
 		iph->ttl = config.faking_ttl;
 	}
@ -725,5 +727,9 @@ int fail4_packet(uint8_t *payload, uint32_t plen) {
 	ip4_set_checksum(iph);
 	tcp4_set_checksum(tcph, iph);

+	if (config.faking_strategy == FAKE_STRAT_TCP_CHECK) {
+		tcph->check += 1;
+	}
+
 	return 0;
 }