From 3d50c00e4f117e11da42653d45f7335e37069829 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Thu, 29 Aug 2024 19:28:26 +0300 Subject: [PATCH 1/4] Fix internet :) Related to #96 --- mangle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mangle.c b/mangle.c index 931e00c..d419c80 100644 --- a/mangle.c +++ b/mangle.c @@ -89,7 +89,7 @@ int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) { goto accept; } - if (tcph->syn) { + if (tcph->syn && config.synfake) { lgtrace_addp("TCP syn alter"); uint8_t payload[MAX_PACKET_SIZE]; memcpy(payload, ipxh, iph_len); From 5f2e423dfa9b81c4ea2e777dec2d9d642886e758 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Tue, 3 Sep 2024 21:22:17 +0300 Subject: [PATCH 2/4] Add --exclude-domains flag. Fix #100 --- README.md | 4 +++- args.c | 12 +++++++++++- config.h | 2 ++ mangle.c | 42 +++++++++++++++++++++++++++++++++++++++++- 4 files changed, 57 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 37b319a..61533e7 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,9 @@ Put flags to the **BINARY**, not an init script. If you are on OpenWRT you shoul Available flags: -- `--sni-domains=|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults to `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled. +- `--sni-domains=|all` List of domains you want to be handled by SNI. Use this string if you want to change default domain list. Defaults to `googlevideo.com,ggpht.com,ytimg.com,youtube.com,play.google.com,youtu.be,googleapis.com,googleusercontent.com,gstatic.com,l.google.com`. You can pass **all** if you want for every *ClientHello* to be handled. You can exclude some domains from _all_ with `--exclude-domains` flag. + +- `--exclude-domains=` List of domains to be excluded from targetting. Useful if you use `--sni-domains=all` and want for some websites to not be targetted by youtubeUnblock. Also the use case is subdomains (for example if you unblock l.google.com, dl.google.com will be also targetted. You can pass it to this flag and it will be ignored). - `--queue-num=` The number of netfilter queue **youtubeUnblock** will be linked to. Defaults to **537**. diff --git a/args.c b/args.c index fd2daac..2b44a8a 100644 --- a/args.c +++ b/args.c @@ -49,12 +49,16 @@ struct config_t config = { .domains_str = defaul_snistr, .domains_strlen = sizeof(defaul_snistr), + .exclude_domains_str = "", + .exclude_domains_strlen = 0, + .queue_start_num = DEFAULT_QUEUE_NUM, .fake_sni_pkt = fake_sni_old, .fake_sni_pkt_sz = sizeof(fake_sni_old) - 1, // - 1 for null-terminator }; #define OPT_SNI_DOMAINS 1 +#define OPT_EXCLUDE_DOMAINS 25 #define OPT_FAKE_SNI 2 #define OPT_FAKING_TTL 3 #define OPT_FAKING_STRATEGY 10 @@ -79,12 +83,13 @@ struct config_t config = { #define OPT_NO_GSO 8 #define OPT_QUEUE_NUM 9 -#define OPT_MAX OPT_SYNFAKE_LEN +#define OPT_MAX OPT_SNI_DOMAINS static struct option long_opt[] = { {"help", 0, 0, 'h'}, {"version", 0, 0, 'v'}, {"sni-domains", 1, 0, OPT_SNI_DOMAINS}, + {"exclude-domains", 1, 0, OPT_EXCLUDE_DOMAINS}, {"fake-sni", 1, 0, OPT_FAKE_SNI}, {"synfake", 1, 0, OPT_SYNFAKE}, {"synfake-len", 1, 0, OPT_SYNFAKE_LEN}, @@ -142,6 +147,7 @@ void print_usage(const char *argv0) { printf("Options:\n"); printf("\t--queue-num=\n"); printf("\t--sni-domains=|all\n"); + printf("\t--exclude-domains=\n"); printf("\t--fake-sni={1|0}\n"); printf("\t--fake-sni-seq-len=\n"); printf("\t--fake-seq-offset=\n"); @@ -203,6 +209,10 @@ int parse_args(int argc, char *argv[]) { config.domains_str = optarg; config.domains_strlen = strlen(config.domains_str); break; + case OPT_EXCLUDE_DOMAINS: + config.exclude_domains_str = optarg; + config.exclude_domains_strlen = strlen(config.exclude_domains_str); + break; case OPT_SNI_DETECTION: if (strcmp(optarg, "parse") == 0) { config.sni_detection = SNI_DETECTION_PARSE; diff --git a/config.h b/config.h index 96b7bff..b1f5ab9 100644 --- a/config.h +++ b/config.h @@ -40,6 +40,8 @@ struct config_t { unsigned int seg2_delay; const char *domains_str; unsigned int domains_strlen; + const char *exclude_domains_str; + unsigned int exclude_domains_strlen; unsigned int all_domains; const char *fake_sni_pkt; unsigned int fake_sni_pkt_sz; diff --git a/mangle.c b/mangle.c index d419c80..15900fd 100644 --- a/mangle.c +++ b/mangle.c @@ -704,7 +704,7 @@ struct tls_verdict analyze_tls_data( if (config.all_domains) { vrd.target_sni = 1; - goto out; + goto check_domain; } @@ -726,12 +726,48 @@ struct tls_verdict analyze_tls_data( domain_startp, domain_len)) { vrd.target_sni = 1; + goto check_domain; } j = i + 1; } } + continue; + +check_domain: + if (vrd.target_sni == 1 && config.exclude_domains_strlen != 0) { + unsigned int j = 0; + for (unsigned int i = 0; i <= config.exclude_domains_strlen; i++) { + if ( i > j && + (i == config.exclude_domains_strlen || + config.exclude_domains_str[i] == '\0' || + config.exclude_domains_str[i] == ',' || + config.exclude_domains_str[i] == '\n' )) { + + unsigned int domain_len = (i - j); + const char *sni_startp = sni_name + sni_len - domain_len; + const char *domain_startp = config.exclude_domains_str + j; + + if (sni_len >= domain_len && + sni_len < 128 && + !strncmp(sni_startp, + domain_startp, + domain_len)) { + + vrd.target_sni = 0; + lgdebugmsg("Excluded SNI: %.*s", + vrd.sni_len, data + vrd.sni_offset); + goto out; + } + + j = i + 1; + } + } + } + + goto out; + nextExtension: extensionsPtr += 2 + 2 + extensionLen; } @@ -739,9 +775,13 @@ nextMessage: i += 5 + message_length; } + + + goto out; out: return vrd; + brute: if (config.all_domains) { vrd.target_sni = 1; From 7d01d0974d79f2c6c5006ffabe6798724884f2e9 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Tue, 3 Sep 2024 21:46:47 +0300 Subject: [PATCH 3/4] Update README.md --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 61533e7..83d96e3 100644 --- a/README.md +++ b/README.md @@ -204,9 +204,7 @@ If your browser is using QUIC it may not work properly. Disable it in Chrome in Televisions are the biggest headache. -In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. - -If you have troubles with televisions try `--faking-strategy=ttl` flag and play around with `--faking-ttl=n`. See [#flags](#flags) for more details. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration: +In [this issue](https://github.com/Waujito/youtubeUnblock/issues/59) the problem has been resolved. And now youtubeUnblock should work with default flags. If not, play around with faking strategies and other flags. Also you might be have to disable QUIC. To do it you may use `--quic-drop` [flag](#flags) with proper firewall configuration (check description of the flag). Note, that this flag won't disable gQUIC and some TVs may relay on it. To disable gQUIC you will need to block the entire 443 port for udp in firewall configuration: For **nftables** do ``` From 31aa3091980f50fa6bd4e51bad3448e7a63f88fb Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 7 Sep 2024 09:24:35 +0300 Subject: [PATCH 4/4] Fix #104 Infinity loop with default parameters Fixes infinity loop with default parameters for youtubeUnblock when trying to connect not handled website. The commit is also related to issue #100 where the support for --exclude-domains flag was added --- mangle.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/mangle.c b/mangle.c index 15900fd..e42221e 100644 --- a/mangle.c +++ b/mangle.c @@ -733,8 +733,6 @@ struct tls_verdict analyze_tls_data( } } - continue; - check_domain: if (vrd.target_sni == 1 && config.exclude_domains_strlen != 0) { unsigned int j = 0; @@ -775,9 +773,6 @@ nextMessage: i += 5 + message_length; } - - - goto out; out: return vrd;