kmod-oaf: skb length trick

oaf/Makefile

@@ -3,6 +3,9 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=oaf
+PKG_VERSION:=5.0.8
+PKG_RELEASE:=1
+
 include $(INCLUDE_DIR)/package.mk
 
 PKG_AUTOLOAD:=oaf

oaf/src/af_bypass.h

@@ -0,0 +1,55 @@
+#ifndef __AF_BYPASS_H__
+#define __AF_BYPASS_H__
+
+static inline int bypassed_interface(struct net_device *in)
+{
+	if (0 == strncmp(in->name, "br-lan", 6)){
+		return 0;
+	}
+	else{
+		return 1;
+	}
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
+#define BYPASS_PACKET() (bypass_packet(skb))
+static inline int bypass_packet(struct sk_buff *skb) {
+#else
+#define BYPASS_PACKET() (bypass_packet(skb, in))
+static inline int bypass_packet(struct sk_buff *skb, const struct net_device *in) {
+#endif
+	int bypassed = 0;
+// 4.10-->4.11 nfct-->_nfct
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,11,0)
+	struct nf_conn *ct = (struct nf_conn *)skb->_nfct;
+#else
+	struct nf_conn *ct = (struct nf_conn *)skb->nfct;
+#endif
+	if (ct == NULL) {
+		return 1;
+	}
+
+	// for HTTP GET / or HTTPS clien-hello, just a trick
+	if (skb->len < 67 || skb->len > 1200)
+		return 1;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
+	if(!skb->dev)
+		return 1;
+
+	bypassed = bypassed_interface(skb->dev);
+#else
+	if (!in){
+		AF_ERROR("in is NULL\n");
+		return 1;
+	}
+	bypassed = bypassed_interface(in);
+#endif
+
+	if (bypassed)
+		return 1;
+
+	return 0;
+}
+
+#endif

oaf/src/af_client.c

@@ -24,6 +24,7 @@
 #include "af_utils.h"
 #include "app_filter.h"
 #include "cJSON.h"
+#include "af_bypass.h"
 
 DEFINE_RWLOCK(af_client_lock);
 
@@ -222,7 +223,6 @@ void flush_expired_visit_info(af_client_info_t *node)
 
 		if (cur_timep - node->visit_info[i].latest_time > timeout)
 		{
-			// 3?��o?��??3y????
 			memset(&node->visit_info[i], 0x0, sizeof(app_visit_info_t));
 			count++;
 		}
@@ -297,17 +297,6 @@ void af_visit_info_report(void)
 	}
 	AF_CLIENT_UNLOCK_W();
 }
-static inline int get_packet_dir(struct net_device *in)
-{
-	if (0 == strncmp(in->name, "br-lan", 6))
-	{
-		return PKT_DIR_UP;
-	}
-	else
-	{
-		return PKT_DIR_DOWN;
-	}
-}
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 static u_int32_t af_client_hook(void *priv,
@@ -325,36 +314,16 @@ static u_int32_t af_client_hook(unsigned int hook,
 	struct ethhdr *ethhdr = NULL;
 	unsigned char smac[ETH_ALEN];
 	af_client_info_t *nfc = NULL;
-	int pkt_dir = 0;
 	struct iphdr *iph = NULL;
 	unsigned int ip = 0;
 
-// 4.10-->4.11 nfct-->_nfct
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-	struct nf_conn *ct = (struct nf_conn *)skb->_nfct;
-#else
-	struct nf_conn *ct = (struct nf_conn *)skb->nfct;
-#endif
-	if (ct == NULL)
-	{
-		return NF_ACCEPT;
-	}
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
-	if (!skb->dev)
-		return NF_ACCEPT;
-
-	pkt_dir = get_packet_dir(skb->dev);
-#else
-	if (!in)
-	{
-		AF_ERROR("in is NULL\n");
+	if (skb->protocol == htons(ETH_P_IP)) {
+		iph = ip_hdr(skb);
+		ip = iph->saddr;
+	} else if (AF_MODE_GATEWAY != af_work_mode)
 		return NF_ACCEPT;
-	}
-	pkt_dir = get_packet_dir(in);
-#endif
 
-	if (PKT_DIR_UP != pkt_dir)
+	if (BYPASS_PACKET())
 		return NF_ACCEPT;
 
 	ethhdr = eth_hdr(skb);
@@ -367,12 +336,6 @@ static u_int32_t af_client_hook(unsigned int hook,
 		memcpy(smac, &skb->cb[40], ETH_ALEN);
 	}
 
-	if (skb->protocol == htons(ETH_P_IP)) {
-		iph = ip_hdr(skb);
-		ip = iph->saddr;
-	} else if (AF_MODE_GATEWAY != af_work_mode)
-		return NF_ACCEPT;
-
 	AF_CLIENT_LOCK_W();
 	nfc = find_af_client(smac);
 	if (!nfc)

oaf/src/af_client.h

@@ -22,12 +22,6 @@ extern u32 nfc_debug_level;
 		((unsigned char *)&addr)[3]
 #define NIPQUAD_FMT "%u.%u.%u.%u"
 
-enum NFC_PKT_DIR
-{
-	PKT_DIR_DOWN,
-	PKT_DIR_UP
-};
-
 #define MAX_VISIT_HISTORY_TIME 24
 #define MAX_RECORD_APP_NUM 64
 

oaf/src/app_filter.c

@@ -24,6 +24,7 @@
 #include "af_client.h"
 #include "af_client_fs.h"
 #include "cJSON.h"
+#include "af_bypass.h"
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("[email protected]");
@@ -691,8 +692,8 @@ static void dump_flow_info(flow_info_t *flow)
 	}
 	if (flow->l4_len > 0)
 	{
-		AF_LMT_INFO("src=" NIPQUAD_FMT ",dst=" NIPQUAD_FMT ",sport: %d, dport: %d, data_len: %d\n",
-					NIPQUAD(flow->src), NIPQUAD(flow->dst), flow->sport, flow->dport, flow->l4_len);
+		AF_LMT_INFO("src=" NIPQUAD_FMT ",dst=" NIPQUAD_FMT ",sport: %d, dport: %d, data_len: %d, http: %d, https: %d\n",
+					NIPQUAD(flow->src), NIPQUAD(flow->dst), flow->sport, flow->dport, flow->l4_len, flow->http.match, flow->https.match);
 	}
 
 	if (flow->l4_protocol == IPPROTO_TCP)
@@ -982,12 +983,11 @@ u_int32_t app_filter_hook_bypass_handle(struct sk_buff *skb, struct net_device *
 
 	if (0 == af_lan_ip || 0 == af_lan_mask)
 		return NF_ACCEPT;
-	if (strstr(dev->name, "docker"))
-		return NF_ACCEPT;
 
 	memset((char *)&flow, 0x0, sizeof(flow_info_t));
 	if (parse_flow_proto(skb, &flow) < 0)
 		return NF_ACCEPT;
+
 	if (flow.src || flow.dst) {
 		if (af_lan_ip == flow.src || af_lan_ip == flow.dst){
 			return NF_ACCEPT;
@@ -1116,6 +1116,8 @@ u_int32_t app_filter_hook_gateway_handle(struct sk_buff *skb, struct net_device
 		return NF_ACCEPT;
 	}
 
+	if (skb->len < 67 || skb->len > 1200)
+		return NF_ACCEPT;
 	if (skb_is_nonlinear(skb)) {
 		flow.l4_data = read_skb(skb, flow.l4_data - skb->data, flow.l4_len);
 		if (!flow.l4_data)
@@ -1187,6 +1189,8 @@ static u_int32_t app_filter_by_pass_hook(unsigned int hook,
 		return NF_ACCEPT;
 	if (AF_MODE_GATEWAY == af_work_mode)
 		return NF_ACCEPT;
+	if (BYPASS_PACKET())
+		return NF_ACCEPT;
 	return app_filter_hook_bypass_handle(skb, skb->dev);
 }