mirror of
https://github.com/apernet/OpenGFW.git
synced 2024-12-23 01:19:21 +08:00
fix: verdict is missing for multicast packets
This commit is contained in:
parent
8b07826de6
commit
a0b994ce22
@ -138,9 +138,10 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
|
|||||||
func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error {
|
func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error {
|
||||||
err := n.n.RegisterWithErrorFunc(ctx,
|
err := n.n.RegisterWithErrorFunc(ctx,
|
||||||
func(a nfqueue.Attribute) int {
|
func(a nfqueue.Attribute) int {
|
||||||
if a.PacketID == nil || a.Ct == nil || a.Payload == nil || len(*a.Payload) < 20 {
|
if ok, verdict := n.packetAttributeSanityCheck(a); !ok {
|
||||||
// Invalid packet, ignore
|
if a.PacketID != nil {
|
||||||
// 20 is the minimum possible size of an IP packet
|
_ = n.n.SetVerdict(*a.PacketID, verdict)
|
||||||
|
}
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
p := &nfqueuePacket{
|
p := &nfqueuePacket{
|
||||||
@ -170,6 +171,25 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (n *nfqueuePacketIO) packetAttributeSanityCheck(a nfqueue.Attribute) (ok bool, verdict int) {
|
||||||
|
if a.PacketID == nil {
|
||||||
|
// Re-inject to NFQUEUE is actually not possible in this condition
|
||||||
|
return false, -1
|
||||||
|
}
|
||||||
|
if a.Payload == nil || len(*a.Payload) < 20 {
|
||||||
|
// 20 is the minimum possible size of an IP packet
|
||||||
|
return false, nfqueue.NfDrop
|
||||||
|
}
|
||||||
|
if a.Ct == nil {
|
||||||
|
// Multicast packets may not have a conntrack, but only appear in local mode
|
||||||
|
if n.local {
|
||||||
|
return false, nfqueue.NfAccept
|
||||||
|
}
|
||||||
|
return false, nfqueue.NfDrop
|
||||||
|
}
|
||||||
|
return true, -1
|
||||||
|
}
|
||||||
|
|
||||||
func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) error {
|
func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) error {
|
||||||
nP, ok := p.(*nfqueuePacket)
|
nP, ok := p.(*nfqueuePacket)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
Loading…
Reference in New Issue
Block a user