From d031ae65bfec815d917f89823bcb7b265b5c8450 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Wed, 31 Jul 2024 11:55:23 +0300 Subject: [PATCH] New option: -q - block QUIC/HTTP3 Only Initial packet in Long Header Packets are blocked. The packet should be at least 1200 bytes in size. --- README.md | 1 + src/goodbyedpi.c | 24 +++++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bf86af6..94db176 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ Download [latest version from Releases page](https://github.com/ValdikSS/Goodbye ``` Usage: goodbyedpi.exe [OPTION...] -p block passive DPI + -q block QUIC/HTTP3 -r replace Host with hoSt -s remove space between host header and its value -m mix Host header case (test.com -> tEsT.cOm) diff --git a/src/goodbyedpi.c b/src/goodbyedpi.c index 93083cc..65e3da8 100644 --- a/src/goodbyedpi.c +++ b/src/goodbyedpi.c @@ -78,6 +78,9 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA "(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \ "(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \ "))" +#define FILTER_PASSIVE_BLOCK_QUIC "outbound and !impostor and !loopback and udp " \ + "and udp.DstPort == 443 and udp.PayloadLength >= 1200 " \ + "and udp.Payload[0] >= 0xC0 and udp.Payload32[1b] == 0x01" #define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \ "!impostor and !loopback and " \ "((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \ @@ -559,7 +562,8 @@ int main(int argc, char *argv[]) { conntrack_info_t dns_conn_info; tcp_conntrack_info_t tcp_conn_info; - int do_passivedpi = 0, do_fragment_http = 0, + int do_passivedpi = 0, do_block_quic = 0, + do_fragment_http = 0, do_fragment_http_persistent = 0, do_fragment_http_persistent_nowait = 0, do_fragment_https = 0, do_host = 0, @@ -641,7 +645,7 @@ int main(int argc, char *argv[]) { max_payload_size = 1200; } - while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) { + while ((opt = getopt_long(argc, argv, "123456pqrsaf:e:mwk:n", long_options, NULL)) != -1) { switch (opt) { case '1': do_passivedpi = do_host = do_host_removespace \ @@ -685,6 +689,9 @@ int main(int argc, char *argv[]) { case 'p': do_passivedpi = 1; break; + case 'q': + do_block_quic = 1; + break; case 'r': do_host = 1; break; @@ -884,6 +891,7 @@ int main(int argc, char *argv[]) { default: puts("Usage: goodbyedpi.exe [OPTION...]\n" " -p block passive DPI\n" + " -q block QUIC/HTTP3\n" " -r replace Host with hoSt\n" " -s remove space between host header and its value\n" " -a additional space between Method and Request-URI (enables -s, may break sites)\n" @@ -960,6 +968,7 @@ int main(int argc, char *argv[]) { } printf("Block passive: %d\n" /* 1 */ + "Block QUIC/HTTP3: %d\n" /* 1 */ "Fragment HTTP: %u\n" /* 2 */ "Fragment persistent HTTP: %u\n" /* 3 */ "Fragment HTTPS: %u\n" /* 4 */ @@ -979,7 +988,7 @@ int main(int argc, char *argv[]) { "Fake requests, wrong checksum: %d\n" /* 17 */ "Fake requests, wrong SEQ/ACK: %d\n" /* 18 */ "Max payload size: %hu\n", /* 19 */ - do_passivedpi, /* 1 */ + do_passivedpi, do_block_quic, /* 1 */ (do_fragment_http ? http_fragment_size : 0), /* 2 */ (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */ (do_fragment_https ? https_fragment_size : 0), /* 4 */ @@ -1031,6 +1040,15 @@ int main(int argc, char *argv[]) { filter_num++; } + if (do_block_quic) { + filters[filter_num] = init( + FILTER_PASSIVE_BLOCK_QUIC, + WINDIVERT_FLAG_DROP); + if (filters[filter_num] == NULL) + die(); + filter_num++; + } + /* * IPv4 & IPv6 filter for inbound HTTP redirection packets and * active DPI circumvention