Skip to content

Commit d031ae6

Browse files
ValdikSSValdikSS
committed
New option: -q - block QUIC/HTTP3
Only Initial packet in Long Header Packets are blocked. The packet should be at least 1200 bytes in size.
1 parent 905d3c9 commit d031ae6

File tree

2 files changed

+22
-3
lines changed

2 files changed

+22
-3
lines changed

README.md

+1
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ Download [latest version from Releases page](https://github.com/ValdikSS/Goodbye
2222
```
2323
Usage: goodbyedpi.exe [OPTION...]
2424
-p block passive DPI
25+
-q block QUIC/HTTP3
2526
-r replace Host with hoSt
2627
-s remove space between host header and its value
2728
-m mix Host header case (test.com -> tEsT.cOm)

src/goodbyedpi.c

+21-3
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,9 @@ WINSOCK_API_LINKAGE INT WSAAPI inet_pton(INT Family, LPCSTR pStringBuf, PVOID pA
7878
"(tcp.DstPort == 80 or tcp.DstPort == 443) and tcp.Ack and " \
7979
"(" DIVERT_NO_LOCALNETSv4_DST " or " DIVERT_NO_LOCALNETSv6_DST "))" \
8080
"))"
81+
#define FILTER_PASSIVE_BLOCK_QUIC "outbound and !impostor and !loopback and udp " \
82+
"and udp.DstPort == 443 and udp.PayloadLength >= 1200 " \
83+
"and udp.Payload[0] >= 0xC0 and udp.Payload32[1b] == 0x01"
8184
#define FILTER_PASSIVE_STRING_TEMPLATE "inbound and ip and tcp and " \
8285
"!impostor and !loopback and " \
8386
"((ip.Id <= 0xF and ip.Id >= 0x0) " IPID_TEMPLATE ") and " \
@@ -559,7 +562,8 @@ int main(int argc, char *argv[]) {
559562
conntrack_info_t dns_conn_info;
560563
tcp_conntrack_info_t tcp_conn_info;
561564

562-
int do_passivedpi = 0, do_fragment_http = 0,
565+
int do_passivedpi = 0, do_block_quic = 0,
566+
do_fragment_http = 0,
563567
do_fragment_http_persistent = 0,
564568
do_fragment_http_persistent_nowait = 0,
565569
do_fragment_https = 0, do_host = 0,
@@ -641,7 +645,7 @@ int main(int argc, char *argv[]) {
641645
max_payload_size = 1200;
642646
}
643647

644-
while ((opt = getopt_long(argc, argv, "123456prsaf:e:mwk:n", long_options, NULL)) != -1) {
648+
while ((opt = getopt_long(argc, argv, "123456pqrsaf:e:mwk:n", long_options, NULL)) != -1) {
645649
switch (opt) {
646650
case '1':
647651
do_passivedpi = do_host = do_host_removespace \
@@ -685,6 +689,9 @@ int main(int argc, char *argv[]) {
685689
case 'p':
686690
do_passivedpi = 1;
687691
break;
692+
case 'q':
693+
do_block_quic = 1;
694+
break;
688695
case 'r':
689696
do_host = 1;
690697
break;
@@ -884,6 +891,7 @@ int main(int argc, char *argv[]) {
884891
default:
885892
puts("Usage: goodbyedpi.exe [OPTION...]\n"
886893
" -p block passive DPI\n"
894+
" -q block QUIC/HTTP3\n"
887895
" -r replace Host with hoSt\n"
888896
" -s remove space between host header and its value\n"
889897
" -a additional space between Method and Request-URI (enables -s, may break sites)\n"
@@ -960,6 +968,7 @@ int main(int argc, char *argv[]) {
960968
}
961969

962970
printf("Block passive: %d\n" /* 1 */
971+
"Block QUIC/HTTP3: %d\n" /* 1 */
963972
"Fragment HTTP: %u\n" /* 2 */
964973
"Fragment persistent HTTP: %u\n" /* 3 */
965974
"Fragment HTTPS: %u\n" /* 4 */
@@ -979,7 +988,7 @@ int main(int argc, char *argv[]) {
979988
"Fake requests, wrong checksum: %d\n" /* 17 */
980989
"Fake requests, wrong SEQ/ACK: %d\n" /* 18 */
981990
"Max payload size: %hu\n", /* 19 */
982-
do_passivedpi, /* 1 */
991+
do_passivedpi, do_block_quic, /* 1 */
983992
(do_fragment_http ? http_fragment_size : 0), /* 2 */
984993
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
985994
(do_fragment_https ? https_fragment_size : 0), /* 4 */
@@ -1031,6 +1040,15 @@ int main(int argc, char *argv[]) {
10311040
filter_num++;
10321041
}
10331042

1043+
if (do_block_quic) {
1044+
filters[filter_num] = init(
1045+
FILTER_PASSIVE_BLOCK_QUIC,
1046+
WINDIVERT_FLAG_DROP);
1047+
if (filters[filter_num] == NULL)
1048+
die();
1049+
filter_num++;
1050+
}
1051+
10341052
/*
10351053
* IPv4 & IPv6 filter for inbound HTTP redirection packets and
10361054
* active DPI circumvention

0 commit comments

Comments
 (0)