changed iptables -A to -I, auth_mode: simple

common.cpp

@@ -52,7 +52,7 @@ char * my_ntoa(u32_t ip)
 int add_iptables_rule(char * s)
 {
 	strcpy(iptables_rule,s);
-	char buf[300]="iptables -A ";
+	char buf[300]="iptables -I ";
 	strcat(buf,s);
 	if(system(buf)==0)
 	{

encrypt.cpp

@@ -13,11 +13,11 @@
 static int8_t zero_iv[]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,   0,0,0,0};//this prog use zero iv,you should make sure first block of data contains a random/nonce data
 
 
-unordered_map<int, const char *> auth_mode_tostring = {{auth_none, "none"}, {auth_md5, "md5"}, {auth_crc32, "crc32"},{auth_sum,"sum"}};
+unordered_map<int, const char *> auth_mode_tostring = {{auth_none, "none"}, {auth_md5, "md5"}, {auth_crc32, "crc32"},{auth_simple,"simple"}};
 unordered_map<int, const char *> cipher_mode_tostring={{cipher_none,"none"},{cipher_aes128cbc,"aes128cbc"},{cipher_xor,"xor"}};
 
-auth_mode_t auth_mode=auth_sum;
-cipher_mode_t cipher_mode=cipher_xor;
+auth_mode_t auth_mode=auth_crc32;
+cipher_mode_t cipher_mode=cipher_aes128cbc;
 
 
 /*
@@ -45,7 +45,7 @@ unsigned int crc32h(unsigned char *message,int len) {
    return ~crc;
 }
 
-
+/*
  void sum(const unsigned  char *data,int len,unsigned char*  res) {
    memset(res,0,sizeof(int));
    for(int i=0,j=0;i<len;i++,j++)
@@ -55,7 +55,25 @@ unsigned int crc32h(unsigned char *message,int len) {
    }
 
    return ;
-}
+}*/
+
+void simple_hash(unsigned char *str,int len,unsigned char*  res)   //djb2+ sdb
+{
+	 u32_t hash = 5381;
+     u32_t hash2 = 0;
+     int c;
+     int i=0;
+    while(c = *str++,i++!=len)
+    {
+         hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
+         hash2 = c + (hash2 << 6) + (hash2 << 16) - hash2;
+    }
+
+     hash=htonl(hash);
+     hash2=htonl(hash2);
+     memcpy(res,&hash,sizeof(hash));
+     memcpy(res+sizeof(hash),&hash2,sizeof(hash2));
+ }
 
 int auth_md5_cal(const char *data,char * output,int &len)
 {
@@ -75,21 +93,21 @@ int auth_crc32_cal(const char *data,char * output,int &len)
 	return 0;
 }
 
-int auth_sum_cal(const char *data,char * output,int &len)
+int auth_simple_cal(const char *data,char * output,int &len)
 {
 	//char res[4];
 	memcpy(output,data,len);//TODO inefficient code
-	sum((unsigned char *)output,len,(unsigned char *)(output+len));
-	len+=4;
+	simple_hash((unsigned char *)output,len,(unsigned char *)(output+len));
+	len+=8;
 	return 0;
 }
-int auth_sum_verify(const char *data,int &len)
+int auth_simple_verify(const char *data,int &len)
 {
-	if(len<4) return -1;
-	unsigned char res[4];
-	len-=4;
-	sum((unsigned char *)data,len,res);
-	if(memcmp(res,data+len,sizeof(int))!=0)
+	if(len<8) return -1;
+	unsigned char res[8];
+	len-=8;
+	simple_hash((unsigned char *)data,len,res);
+	if(memcmp(res,data+len,8)!=0)
 		return -1;
 	return 0;
 }
@@ -236,7 +254,7 @@ int auth_cal(const char *data,char * output,int &len)
 	{
 	case auth_crc32:return auth_crc32_cal(data, output, len);
 	case auth_md5:return auth_md5_cal(data, output, len);
-	case auth_sum:return auth_sum_cal(data, output, len);
+	case auth_simple:return auth_simple_cal(data, output, len);
 	case auth_none:return auth_none_cal(data, output, len);
 	default:	return auth_md5_cal(data,output,len);//default
 	}
@@ -249,7 +267,7 @@ int auth_verify(const char *data,int &len)
 	{
 	case auth_crc32:return auth_crc32_verify(data, len);
 	case auth_md5:return auth_md5_verify(data, len);
-	case auth_sum:return auth_sum_verify(data, len);
+	case auth_simple:return auth_simple_verify(data, len);
 	case auth_none:return auth_none_verify(data, len);
 	default:	return auth_md5_verify(data,len);//default
 	}

encrypt.h

@@ -20,7 +20,7 @@ int my_decrypt_pesudo_header(uint8_t *data,uint8_t *output,int &len,uint8_t * ke
 unsigned short csum(const unsigned short *ptr,int nbytes) ;
 
 
-enum auth_mode_t {auth_none=0,auth_md5,auth_crc32,auth_sum,auth_end};
+enum auth_mode_t {auth_none=0,auth_md5,auth_crc32,auth_simple,auth_end};
 
 
 enum cipher_mode_t {cipher_none=0,cipher_aes128cbc,cipher_xor,cipher_end};

main.cpp

@@ -2251,7 +2251,7 @@ void print_help()
 	printf("    --raw-mode            <string>        avaliable values:faketcp,udp,icmp\n");
 	printf("    -k,--key              <string>        password to gen symetric key\n");
 	printf("    --auth-mode           <string>        avaliable values:aes128cbc(default),xor,none\n");
-	printf("    --cipher-mode         <string>        avaliable values:md5(default),crc32,sum,none\n");
+	printf("    --cipher-mode         <string>        avaliable values:md5(default),crc32,simple,none\n");
 	printf("    -a,--auto-add                         auto add (and delete) iptables rule\n");
 	printf("    --disable-anti-replay 				  disable anti-replay,not suggested");
 
@@ -2304,6 +2304,7 @@ void process_arg(int argc, char *argv[])
 		{"disable-anti-replay", no_argument,    0, 1},
 		{"auto-add", no_argument,    0, 'a'},
 		{"debug", no_argument,    0, 1},
+		{"clear", no_argument,    0, 1},
 		{"sock-buf", required_argument,    0, 1},
 		{"seq-mode", required_argument,    0, 1},
 		{NULL, 0, 0, 0}
@@ -2363,18 +2364,29 @@ void process_arg(int argc, char *argv[])
 			no_l = 0;
 			if (strchr(optarg, ':') != 0) {
 				sscanf(optarg, "%[^:]:%d", local_address, &local_port);
+				if(local_port==22)
+				{
+					mylog(log_fatal,"port 22 not allowed\n");
+					myexit(-1);
+				}
 			} else {
-				strcpy(local_address, "127.0.0.1");
-				sscanf(optarg, "%d", &local_port);
+				mylog(log_fatal,"invalid parameter for -l ,%s,should be ip:port\n",optarg);
+				myexit(-1);
+
 			}
 			break;
 		case 'r':
 			no_r = 0;
 			if (strchr(optarg, ':') != 0) {
 				sscanf(optarg, "%[^:]:%d", remote_address, &remote_port);
+				if(remote_port==22)
+				{
+					mylog(log_fatal,"port 22 not allowed\n");
+					myexit(-1);
+				}
 			} else {
-				strcpy(remote_address, "127.0.0.1");
-				sscanf(optarg, "%d", &remote_port);
+				mylog(log_fatal,"invalid parameter for -r ,%s,should be ip:port\n",optarg);
+				myexit(-1);
 			}
 			break;
 		case 's':
@@ -2410,7 +2422,15 @@ void process_arg(int argc, char *argv[])
 			break;
 		case 1:
 			mylog(log_debug,"option_index: %d\n",option_index);
-			if(strcmp(long_options[option_index].name,"source-ip")==0)
+			if(strcmp(long_options[option_index].name,"clear")==0)
+			{
+				system("iptables-save |grep udp2raw_dWRwMnJhdw|sed -n 's/^-A/iptables -D/p'|sh");
+				//system("iptables-save |grep udp2raw_dWRwMnJhdw|sed 's/^-A/iptables -D/'|sh");
+				//system("iptables-save|grep -v udp2raw_dWRwMnJhdw|iptables-restore");
+				mylog(log_info,"tried to clear all iptables rule created previously");
+				myexit(-1);
+			}
+			else if(strcmp(long_options[option_index].name,"source-ip")==0)
 			{
 				mylog(log_debug,"parsing long option :source-ip\n");
 				sscanf(optarg, "%s", source_address);
@@ -2620,16 +2640,28 @@ void iptables_warn()
 	}
 	if(auto_add_iptables_rule)
 	{
-			strcat(rule," -m comment --comment udp2raw_added_");
+			strcat(rule," -m comment --comment udp2raw_dWRwMnJhdw_");
+
 			char const_id_str[100];
-			sprintf(const_id_str,"%x",const_id);
+			sprintf(const_id_str,"%x_",const_id);
+
 			strcat(rule,const_id_str);
 
+		    time_t timer;
+		    char buffer[26];
+		    struct tm* tm_info;
+
+		    time(&timer);
+		    tm_info = localtime(&timer);
+
+		    strftime(buffer, 26, "%Y-%m-%d-%H:%M:%S", tm_info);
+
+		    strcat(rule,buffer);
 			add_iptables_rule(rule);
 	}
 	else
 	{
-		mylog(log_warn,"make sure you have run once:  iptables -A %s\n",rule);
+		mylog(log_warn,"make sure you have run once:  iptables -I %s\n",rule);
 	}
 }
 int main(int argc, char *argv[])

network.cpp

@@ -1051,13 +1051,10 @@ int recv_raw_tcp(raw_info_t &raw_info,char * &payload,int &payloadlen)
     }
     else
     {
-    	mylog(log_info,"tcph->doff= %u\n",tcph->doff);
-    }
-    if(tcph->rst==1)
-    {
-    	mylog(log_error,"rst==1\n");
+    	//mylog(log_info,"tcph->doff= %u\n",tcph->doff);
     }
 
+
     recv_info.ack=tcph->ack;
     recv_info.syn=tcph->syn;
     recv_info.rst=tcph->rst;
@@ -1068,6 +1065,11 @@ int recv_raw_tcp(raw_info_t &raw_info,char * &payload,int &payloadlen)
     recv_info.ack_seq=ntohl(tcph->ack_seq);
     recv_info.psh=tcph->psh;
 
+    if(tcph->rst==1)
+    {
+    	mylog(log_error,"[%s,%d]rst==1\n",my_ntoa(recv_info.src_ip),recv_info.src_port);
+    }
+
    /* if(recv_info.has_ts)
     {
     	send_info.ts_ack=recv_info.ts;   //////////////////////////////////////////////modify