nfqws: conntrack workaround TTL=1

3 months ago · 729ded0c61
2 changed files with 13 additions and 6 deletions
--- a/nfq/desync.c
+++ b/nfq/desync.c
@ -564,9 +564,18 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct
 	if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp)))
 	{
 		DLOG("applying linux postnat conntrack workaround\n");
-		// make ip protocol invalid
-		if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255;
-		if (ip) ip->ip_p = 255; // this also makes ipv4 header checksum invalid
+		// make ip protocol invalid and low TTL
+		if (ip6)
+		{
+			ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255;
+			ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = 1;
+		}
+		if (ip)
+		{
+			// this likely also makes ipv4 header checksum invalid
+			ip->ip_p = 255;
+			ip->ip_ttl = 1;
+		}
 		return VERDICT_MODIFY | VERDICT_NOCSUM;
 	}
 #endif
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -296,6 +296,7 @@ static int nfq_main(void)
 		return 1;
 	}

+	sec_harden();
 	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
 		goto err;
 	print_id();
@ -307,9 +308,6 @@ static int nfq_main(void)

 	if (params.daemon) daemonize();

-	// do it only after daemonize because daemonize needs fork
-	sec_harden();
-
 	if (Fpid)
 	{
 		if (fprintf(Fpid, "%d", getpid())<=0)