kkevsterrr / geneva Goto Github PK

View Code? Open in Web Editor NEW

1.8K 56.0 170.0 363 KB

automated censorship evasion for the client-side and server-side

Home Page: https://censorship.ai

License: BSD 3-Clause "New" or "Revised" License

Python 99.43% TeX 0.04% Dockerfile 0.12% DIGITAL Command Language 0.40%

networking censorship-circumvention censorship-resistance geneva

geneva's Introduction

Geneva

Are you using Geneva? If so, let us know! Shoot us an email at [email protected], or to use PGP, email us directly with our keys on our website.

Geneva is an artificial intelligence tool designed by researchers at the University of Maryland that defeats censorship by exploiting bugs in censors, such as those in China, India, and Kazakhstan. Unlike many other anti-censorship solutions which require assistance from outside the censoring regime (Tor, VPNs, etc.), Geneva runs strictly on one side of the connection (either the client or server side). Geneva should be considered a research project for researchers, and it is not built with a graphical user interface.

Under the hood, Geneva uses a genetic algorithm to evolve censorship evasion strategies and has found several previously unknown bugs in censors. Geneva's strategies manipulate the network stream to confuse the censor without impacting the client/server communication. This makes Geneva effective against many types of in-network censorship (though it cannot be used against IP-blocking censorship).

Geneva is composed of two high level components: its genetic algorithm (which it uses to evolve new censorship evasion strategies) and its strategy engine (which is uses to run an individual censorship evasion strategy over a network connection).

This codebase contains the Geneva's full implementation: its genetic algorithm, strategy engine, Python API, and a subset of published strategies. With these tools, users and researchers alike can evolve new strategies or leverage existing strategies to evade censorship. To learn more about how Geneva works, see How it Works or checkout our documentation.

Setup

Geneva has been developed and tested for Centos or Debian-based systems. Due to limitations of netfilter and raw sockets, Geneva does not work on OS X or Windows at this time and requires python3.6. More detailed setup instructions are available at our documentation.

Install netfilterqueue dependencies:

# sudo apt-get install build-essential python-dev libnetfilter-queue-dev libffi-dev libssl-dev iptables python3-pip

Install Python dependencies:

# python3 -m pip install -r requirements.txt

On Debian 10 systems, some users have reported needing to install netfilterqueue directly from Github:

# sudo python3 -m pip install --upgrade -U git+https://github.com/kti/python-netfilterqueue

On Arch systems, some users have reported needing to make liblibc.a available for netfilterqueue:

sudo ln -s -f /usr/lib64/libc.a /usr/lib64/liblibc.a

Running a Strategy

A censorship evasion strategy is simply a description of how network traffic should be modified. A strategy is not code, it is a description that tells the engine how it should operate over traffic. For a fuller description of the DNA syntax, see Censorship Evasion Strategies.

# python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
2019-10-14 16:34:45 DEBUG:[ENGINE] Engine created with strategy \/ (ID bm3kdw3r) to port 80
2019-10-14 16:34:45 DEBUG:[ENGINE] Configuring iptables rules
2019-10-14 16:34:45 DEBUG:[ENGINE] iptables -A OUTPUT -p tcp --sport 80 -j NFQUEUE --queue-num 1
2019-10-14 16:34:45 DEBUG:[ENGINE] iptables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 2
2019-10-14 16:34:45 DEBUG:[ENGINE] iptables -A OUTPUT -p udp --sport 80 -j NFQUEUE --queue-num 1
2019-10-14 16:34:45 DEBUG:[ENGINE] iptables -A INPUT -p udp --dport 80 -j NFQUEUE --queue-num 2

Note that if you have stale iptables rules or other rules that rely on Geneva's default queues, this will fail. To fix this, remove those rules.

Also note that if you want to specify multiple ports for Geneva to monitor, you can specify a port range using --server-port 4000:5000 to monitor all ports in the range 4000-5000, or you can specify a list like --server-port 80,443,4444 to only monitor the explicit ports given.

Strategy Library

Geneva has found dozens of strategies that work against censors in China, Kazakhstan, India, and Iran. We include several of these strategies in strategies.md. Note that this file contains success rates for each individual country; a strategy that works in one country may not work as well as other countries.

Researchers have observed that strategies may have differing success rates based on your exact location. Although we have not observed this from our vantage points, you may find that some strategies may work differently in a country we have tested. If this is the case, don't be alarmed. However, please feel free to reach out to a member of the team directly or open an issue on this page so we can track how the strategies work from other geographic locations.

Disclaimer

Running these strategies may place you at risk if you use it within a censoring regime. Geneva takes overt actions that interfere with the normal operations of a censor and its strategies are detectable on the network. During the training process, Geneva will intentionally trip censorship many times. Geneva is not an anonymity tool, nor does it encrypt any traffic. Understand the risks of running Geneva in your country before trying it.

How it Works

See our paper for an in-depth read on how Geneva works. Below is a walkthrough of the main concepts behind Geneva, the major components of the codebase, and how they can be used.

Censorship Evasion Strategies

A censorship evasion strategy is simply a description of how network traffic should be modified. A strategy is not code, it is a description that tells Geneva's stratgy engine how it should manipulate network traffic. The goal of a censorship evasion strategy is to modify the network traffic in a such a way that the censor is unable to censor it, but the client/server communication is unimpacted.

A censorship evasion strategy composed of one or more packet-level building blocks. Geneva's core building blocks are:

duplicate: takes one packet and returns two copies of the packet
drop: takes one packet and returns no packets (drops the packet)
tamper: takes one packet and returns the modified packet
fragment: takes one packet and returns two fragments or two segments

Since duplicate and fragment introduce branching, these actions are composed into a binary-tree structure called an action tree. Each tree also has a trigger. The trigger describes which packets the tree should run on, and the tree describes what should happen to each of those packets when the trigger fires. Once a trigger fires on a packet, it pulls the packet into the tree for modifications, and the packets that emerge from the tree are sent on the wire. Recall that Geneva operates at the packet level, therefore all triggers are packet-level triggers.

Multiple action trees together form a forest. Geneva handles outbound and inbound packets differently, so strategies are composed of two forests: an outbound forest and an inbound forest.

Consider the following example of a simple Geneva strategy.

                   +---------------+
                   |  TCP:flags:A  |         <-- triggers on TCP packets with the flags field set to 'ACK'
                   +-------+-------+             matching packets are captured and pulled into the tree
                           |
                 +---------v---------+
                       duplicate             <-- makes two copies of the given packet. the tree is processed 
                 +---------+---------+           with an inorder traversal, so the left side is run first
                           |
             +-------------+------------+
             |                          |
+------------v----------+               v    <-- duplicate has no right child, so this packet will be sent on the wire unimpacted
          tamper              
  {TCP:flags:replace:R}      <-- parameters to this action describe how the packet should be tampered 
+------------+----------+
             |
+------------v----------+
          tamper
   {TCP:chksum:corrupt}
+------------+----------+
             |
             v               <-- packets that emerge from an in-order traversal of the leaves are sent on the wire

This strategy triggers on TCP packets with the flags field set to ACK. It makes a duplicate of the ACK packet; the first duplicate has its flags field changed to RST and its checksum (chksum) field corrupted; the second duplicate is unchaged. Both packets are then sent on the network.

Strategy DNA

These strategies can be arbitrarily complicated, and Geneva defines a well-formatted string syntax for unambiguously expressing strategies.

A strategy divides how it handles outbound and inbound packets: these are separated in the DNA by a "\/". Specifically, the strategy format is <outbound forest> \/ <inbound forest>. If \/ is not present in a strategy, all of the action trees are in the outbound forest.

Both forests are composed of action trees, and each forest is allowed an arbitrarily many trees.

Action trees always start with a trigger, which is formatted as: [<protocol>:<field>:<value>]. For example, the trigger: [TCP:flags:S] will run its corresponding tree whenever it sees a TCP packet with the flags field set to SYN. If the corresponding action tree is [TCP:flags:S]-drop-|, this action tree will cause the engine to drop any SYN packets. [TCP:flags:S]-duplicate-| will cause the engine to duplicate any SYN packets.

Syntactically, action trees end with -|.

Depending on the type of action, some actions can have up to two children (such as duplicate). These are represented with the following syntax: [TCP:flags:S]-duplicate(<left_child>,<right_child>)-|, where <left_child> and <right_child> themselves are trees. If (,) is not specified, any packets that emerge from the action will be sent on the wire. If an action only has one child (such as tamper), it is always the left child. [TCP:flags:S]-tamper{<parameters>}(<left_child>,)-|

Actions that have parameters specify those parameters within {}. For example, giving parameters to the tamper action could look like: [TCP:flags:S]-tamper{TCP:flags:replace:A}-|. This strategy would trigger on TCP SYN packets and replace the TCP flags field to ACK.

Putting this all together, below is the strategy DNA representation of the above diagram:

[TCP:flags:A]-duplicate(tamper{TCP:flags:replace:R}(tamper{TCP:chksum:corrupt},),)-| \/

Geneva has code to parse this strategy DNA into strategies that can be applied to network traffic using the engine.

Note that due to limitations of Scapy and NFQueue, actions that introduce branching (fragment, duplicate) are disabled for incoming action forests.

Engine

The strategy engine (engine.py) applies a strategy to a network connection. The engine works by capturing all traffic to/from a specified port. Packets that match an active trigger are run through the associated action-tree, and packets that emerge from the tree are sent on the wire.

The engine also has a Python API for using it in your application. It can be used as a context manager or invoked in the background as a thread. For example, consider the following simple application.

import os
import engine

# Port to run the engine on
port = 80
# Strategy to use
strategy = "[TCP:flags:A]-duplicate(tamper{TCP:flags:replace:R}(tamper{TCP:chksum:corrupt},),)-| \/"

# Create the engine in debug mode
with engine.Engine(port, strategy, log_level="debug") as eng:
    os.system("curl http://example.com?q=ultrasurf")

This script creates an instance of the engine with a specified strategy, and that strategy will be running for everything within the context manager. When the context manager exits, the engine will clean itself up. See the examples/ folder for more use cases of the engine.

Due to limitations of scapy and NFQueue, the engine cannot be used to communicate with localhost.

Citation

If you like the work or plan to use it in your projects, please follow the guidelines in citation.bib.

Paper

See our paper from CCS or the rest of our papers and talks for an in-depth dive into how Geneva works and how it can be applied.

Contributors

geneva's People

Contributors

Stargazers

Watchers

Forkers

xhdix myonetaps wildturtles aneesthrikkulath henesy ecthros ununununium wladoo shalekesan isword schevalier andylavr bugfest vankoven b10wfish strangerting 5l1v3r1 therodfather shitongzhu mesutozsoycom onebackup hongjiang funnymdzz syncyourmind lamhaoyin2 cirosantilli stayen davidalphafox pobizhe xyz12810 hayeah rdbox rakibulislam781314 malkeshdalia httpsgithu obsecurus elie2201 pknoll1976 asked637 b-xiang fbion haixing-hu adun kernux cnmover pu55yf3r mit0chrondr1a nanase-always powerpress deiydaiwvt sunnymatt leepapa yiisangel doubi222 nekotekina kreese89 org-mars madjonr satan1a dendisuhubdy msghost gqqnbig cybernewbies lehui99 me0w1ng futurebody dfischer w796933 ludashi2020 alimmp pantyhose-x gesubackups vladimirmakhanov andyshade crazysheep118 gigaryte dong-coder emptysuns kelmenhorst xc902019 shixyuu retx0 kitcoun aneryusui kevin0205 gnu-linux-libre creeper9 helloppm flandweber alxbnct linwoodpendleton123 xv-tom-l dreamchaser-luzeyu sparkle-heavy-industries toni-ainita-net oldsecureiqlab 332plim igarshasb bij7n ironeagle-ir

geneva's Issues

Sharing some points about Geneva Project

Is there any communication info to share some points about Geneva Project with you guys?
Your email is not answering :(

How to use it ?

NetfilterQueue run_socket error

I'm running NetfilterQueue git version because I couldn't get pip to install it but that shouldn't matter I think.
LOG:

##$ sudo python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{IP:len:replace:64},)-|" --log debug

2020-01-25 04:13:35 DEBUG:[ENGINE] Engine created with strategy [TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-| \/ (ID xlez5tdl) to port 80
2020-01-25 04:13:35 DEBUG:[ENGINE] Configuring iptables rules
2020-01-25 04:13:35 DEBUG:[ENGINE] iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
2020-01-25 04:13:35 DEBUG:[ENGINE] iptables -A INPUT -p tcp --sport 80 -j NFQUEUE --queue-num 2
2020-01-25 04:13:35 DEBUG:[ENGINE] iptables -A OUTPUT -p udp --dport 80 -j NFQUEUE --queue-num 1
2020-01-25 04:13:35 DEBUG:[ENGINE] iptables -A INPUT -p udp --sport 80 -j NFQUEUE --queue-num 2
2020-01-25 04:13:36 DEBUG:[ENGINE] NFQueue Initialized after 0
2020-01-25 04:13:37 ERROR:[ENGINE] Exception out of run_nfqueue() (direction=in)
Traceback (most recent call last):
  File "engine.py", line 115, in run_nfqueue
    nfqueue.run_socket(nfqueue_socket)
SystemError: <method 'run_socket' of 'netfilterqueue.NetfilterQueue' objects> returned NULL without setting an error
2020-01-25 04:13:37 ERROR:[ENGINE] Exception out of run_nfqueue() (direction=out)
Traceback (most recent call last):
  File "engine.py", line 115, in run_nfqueue
    nfqueue.run_socket(nfqueue_socket)
SystemError: <method 'run_socket' of 'netfilterqueue.NetfilterQueue' objects> returned NULL without setting an error ```

Iran Needs You

Hi There,
Iranian people are under a heavy filtering service by gov. I myself accidentally and by chance connected to web and come here to say that, we needs you guys and your help.
if you can help and get some fast tip answer this issue pls.

Best Regards - Iranian People

listen on multi ports?

i run ：
engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug

it worked fine,so.is it possible engine.py could listen and worked as service in multi ports,such as 1000:1200?

million TKS

TypeError: '_sre.SRE_Match' object is not subscriptable

I can't run it.

# python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
Traceback (most recent call last):
  File "engine.py", line 329, in main
    log_level=args["log"])
  File "engine.py", line 54, in __init__
    self.strategy = actions.utils.parse(string_strategy, self.logger)
  File "/root/geneva/actions/utils.py", line 74, in parse
    new_tree.parse(str_action, logger)
  File "/root/geneva/actions/tree.py", line 180, in parse
    if not match or not match[0]:
TypeError: '_sre.SRE_Match' object is not subscriptable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "engine.py", line 338, in <module>
    main(vars(get_args()))
  File "engine.py", line 334, in main
    eng.shutdown_nfqueue()
UnboundLocalError: local variable 'eng' referenced before assignment

Debian GNU/Linux 9.11 (stretch)

Pip install multiple errors on Debian 10

python3 -m pip install -r requirements.txt produces multiple errors when run on Debian 10.

building 'netfilterqueue' extension
  creating build
  creating build/temp.linux-x86_64-3.7
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.7m -c netfilterqueue.c -o build/temp.linux-x86_64-3.7/netfilterqueue.o
  netfilterqueue.c: In function ‘__pyx_f_14netfilterqueue_6Packet_set_nfq_data’:
  netfilterqueue.c:2150:68: warning: passing argument 2 of ‘nfq_get_payload’ from incompatible pointer type [-Wincompatible-pointer-types]
     __pyx_v_self->payload_len = nfq_get_payload(__pyx_v_self->_nfa, (&__pyx_v_self->payload));
                                                                     ~^~~~~~~~~~~~~~~~~~~~~~~
  In file included from netfilterqueue.c:440:
  /usr/include/libnetfilter_queue/libnetfilter_queue.h:122:67: note: expected ‘unsigned char **’ but argument is of type ‘char **’
   extern int nfq_get_payload(struct nfq_data *nfad, unsigned char **data);
                                                     ~~~~~~~~~~~~~~~~^~~~
  netfilterqueue.c: In function ‘__pyx_pf_14netfilterqueue_6Packet_4get_hw’:
  netfilterqueue.c:2533:17: warning: implicit declaration of function ‘PyString_FromStringAndSize’; did you mean ‘PyBytes_FromStringAndSize’? [-Wimplicit-function-declaration]
       __pyx_t_3 = PyString_FromStringAndSize(((char *)__pyx_v_self->hw_addr), 8); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 111, __pyx_L1_error)
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~
                   PyBytes_FromStringAndSize
  netfilterqueue.c:2533:15: warning: assignment to ‘PyObject *’ {aka ‘struct _object *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
       __pyx_t_3 = PyString_FromStringAndSize(((char *)__pyx_v_self->hw_addr), 8); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 111, __pyx_L1_error)
                 ^
  netfilterqueue.c: In function ‘__Pyx_PyCFunction_FastCall’:
  netfilterqueue.c:6436:13: error: too many arguments to function ‘(PyObject * (*)(PyObject *, PyObject * const*, Py_ssize_t))meth’
       return (*((__Pyx_PyCFunctionFast)meth)) (self, args, nargs, NULL);
              ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  netfilterqueue.c: In function ‘__Pyx__ExceptionSave’:
  netfilterqueue.c:7132:21: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
       *type = tstate->exc_type;
                       ^~~~~~~~
                       curexc_type
  netfilterqueue.c:7133:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
       *value = tstate->exc_value;
                        ^~~~~~~~~
                        curexc_value
  netfilterqueue.c:7134:19: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
       *tb = tstate->exc_traceback;
                     ^~~~~~~~~~~~~
                     curexc_traceback
  netfilterqueue.c: In function ‘__Pyx__ExceptionReset’:
  netfilterqueue.c:7141:24: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
       tmp_type = tstate->exc_type;
                          ^~~~~~~~
                          curexc_type
  netfilterqueue.c:7142:25: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
       tmp_value = tstate->exc_value;
                           ^~~~~~~~~
                           curexc_value
  netfilterqueue.c:7143:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
       tmp_tb = tstate->exc_traceback;
                        ^~~~~~~~~~~~~
                        curexc_traceback
  netfilterqueue.c:7144:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
       tstate->exc_type = type;
               ^~~~~~~~
               curexc_type
  netfilterqueue.c:7145:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
       tstate->exc_value = value;
               ^~~~~~~~~
               curexc_value
  netfilterqueue.c:7146:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
       tstate->exc_traceback = tb;
               ^~~~~~~~~~~~~
               curexc_traceback
  netfilterqueue.c: In function ‘__Pyx__GetException’:
  netfilterqueue.c:7201:24: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
       tmp_type = tstate->exc_type;
                          ^~~~~~~~
                          curexc_type
  netfilterqueue.c:7202:25: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
       tmp_value = tstate->exc_value;
                           ^~~~~~~~~
                           curexc_value
  netfilterqueue.c:7203:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
       tmp_tb = tstate->exc_traceback;
                        ^~~~~~~~~~~~~
                        curexc_traceback
  netfilterqueue.c:7204:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
       tstate->exc_type = local_type;
               ^~~~~~~~
               curexc_type
  netfilterqueue.c:7205:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
       tstate->exc_value = local_value;
               ^~~~~~~~~
               curexc_value
  netfilterqueue.c:7206:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
       tstate->exc_traceback = local_tb;
               ^~~~~~~~~~~~~
               curexc_traceback
  error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
  
  ----------------------------------------
  Failed building wheel for netfilterqueue
  Running setup.py clean for netfilterqueue
  Running setup.py bdist_wheel for mysql-connector ... done
  Stored in directory: /home/andy/.cache/pip/wheels/8c/83/a1/f8b6d4bb1bd6208bbde1608bbfa7557504bed9eaf2ecf8c175
  Running setup.py bdist_wheel for slackclient ... done
  Stored in directory: /home/andy/.cache/pip/wheels/b0/c7/4e/23104e3c04bf4248a1f9e24d82978e910e3ae4761e00f878e5
  Running setup.py bdist_wheel for psutil ... done
  Stored in directory: /home/andy/.cache/pip/wheels/39/a0/f5/c4fa280463e29aea07797acb5312358fefb067c1f4f98e11b1
Successfully built scapy netifaces mysql-connector slackclient psutil
Failed to build netfilterqueue
slackclient 1.3.1 has requirement websocket-client<0.55.0,>=0.35, but you'll have websocket-client 0.57.0 which is incompatible.
Installing collected packages: attrs, py, zipp, importlib-metadata, pluggy, iniconfig, pyparsing, packaging, toml, more-itertools, pytest, scapy, dnspython, websocket-client, docker, anytree, graphviz, netifaces, netfilterqueue, pycparser, cffi, cryptography, bcrypt, pynacl, paramiko, coverage, codecov, pytest-cov, tld, python-dotenv, mysql-connector, slackclient, soupsieve, beautifulsoup4, psutil, tqdm
  The scripts py.test and pytest are installed in '/home/andy/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  The scripts UTscapy and scapy are installed in '/home/andy/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  Running setup.py install for netfilterqueue ... error
    Complete output from command /usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-s341lk2z/netfilterqueue/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-record-4o45wq9_/install-record.txt --single-version-externally-managed --compile --user --prefix=:
    running install
    running build
    running build_ext
    building 'netfilterqueue' extension
    creating build
    creating build/temp.linux-x86_64-3.7
    x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.7m -c netfilterqueue.c -o build/temp.linux-x86_64-3.7/netfilterqueue.o
    netfilterqueue.c: In function ‘__pyx_f_14netfilterqueue_6Packet_set_nfq_data’:
    netfilterqueue.c:2150:68: warning: passing argument 2 of ‘nfq_get_payload’ from incompatible pointer type [-Wincompatible-pointer-types]
       __pyx_v_self->payload_len = nfq_get_payload(__pyx_v_self->_nfa, (&__pyx_v_self->payload));
                                                                       ~^~~~~~~~~~~~~~~~~~~~~~~
    In file included from netfilterqueue.c:440:
    /usr/include/libnetfilter_queue/libnetfilter_queue.h:122:67: note: expected ‘unsigned char **’ but argument is of type ‘char **’
     extern int nfq_get_payload(struct nfq_data *nfad, unsigned char **data);
                                                       ~~~~~~~~~~~~~~~~^~~~
    netfilterqueue.c: In function ‘__pyx_pf_14netfilterqueue_6Packet_4get_hw’:
    netfilterqueue.c:2533:17: warning: implicit declaration of function ‘PyString_FromStringAndSize’; did you mean ‘PyBytes_FromStringAndSize’? [-Wimplicit-function-declaration]
         __pyx_t_3 = PyString_FromStringAndSize(((char *)__pyx_v_self->hw_addr), 8); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 111, __pyx_L1_error)
                     ^~~~~~~~~~~~~~~~~~~~~~~~~~
                     PyBytes_FromStringAndSize
    netfilterqueue.c:2533:15: warning: assignment to ‘PyObject *’ {aka ‘struct _object *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
         __pyx_t_3 = PyString_FromStringAndSize(((char *)__pyx_v_self->hw_addr), 8); if (unlikely(!__pyx_t_3)) __PYX_ERR(0, 111, __pyx_L1_error)
                   ^
    netfilterqueue.c: In function ‘__Pyx_PyCFunction_FastCall’:
    netfilterqueue.c:6436:13: error: too many arguments to function ‘(PyObject * (*)(PyObject *, PyObject * const*, Py_ssize_t))meth’
         return (*((__Pyx_PyCFunctionFast)meth)) (self, args, nargs, NULL);
                ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    netfilterqueue.c: In function ‘__Pyx__ExceptionSave’:
    netfilterqueue.c:7132:21: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
         *type = tstate->exc_type;
                         ^~~~~~~~
                         curexc_type
    netfilterqueue.c:7133:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
         *value = tstate->exc_value;
                          ^~~~~~~~~
                          curexc_value
    netfilterqueue.c:7134:19: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
         *tb = tstate->exc_traceback;
                       ^~~~~~~~~~~~~
                       curexc_traceback
    netfilterqueue.c: In function ‘__Pyx__ExceptionReset’:
    netfilterqueue.c:7141:24: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
         tmp_type = tstate->exc_type;
                            ^~~~~~~~
                            curexc_type
    netfilterqueue.c:7142:25: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
         tmp_value = tstate->exc_value;
                             ^~~~~~~~~
                             curexc_value
    netfilterqueue.c:7143:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
         tmp_tb = tstate->exc_traceback;
                          ^~~~~~~~~~~~~
                          curexc_traceback
    netfilterqueue.c:7144:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
         tstate->exc_type = type;
                 ^~~~~~~~
                 curexc_type
    netfilterqueue.c:7145:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
         tstate->exc_value = value;
                 ^~~~~~~~~
                 curexc_value
    netfilterqueue.c:7146:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
         tstate->exc_traceback = tb;
                 ^~~~~~~~~~~~~
                 curexc_traceback
    netfilterqueue.c: In function ‘__Pyx__GetException’:
    netfilterqueue.c:7201:24: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
         tmp_type = tstate->exc_type;
                            ^~~~~~~~
                            curexc_type
    netfilterqueue.c:7202:25: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
         tmp_value = tstate->exc_value;
                             ^~~~~~~~~
                             curexc_value
    netfilterqueue.c:7203:22: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
         tmp_tb = tstate->exc_traceback;
                          ^~~~~~~~~~~~~
                          curexc_traceback
    netfilterqueue.c:7204:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_type’; did you mean ‘curexc_type’?
         tstate->exc_type = local_type;
                 ^~~~~~~~
                 curexc_type
    netfilterqueue.c:7205:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_value’; did you mean ‘curexc_value’?
         tstate->exc_value = local_value;
                 ^~~~~~~~~
                 curexc_value
    netfilterqueue.c:7206:13: error: ‘PyThreadState’ {aka ‘struct _ts’} has no member named ‘exc_traceback’; did you mean ‘curexc_traceback’?
         tstate->exc_traceback = local_tb;
                 ^~~~~~~~~~~~~
                 curexc_traceback
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-s341lk2z/netfilterqueue/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-record-4o45wq9_/install-record.txt --single-version-externally-managed --compile --user --prefix=" failed with error code 1 in /tmp/pip-install-s341lk2z/netfilterqueue/

hi

I ran it all night, why my fitness value has not been high?

Exception out of run_nfqueue()

ubuntu@instance-20200501-0913:~/geneva$ sudo python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
2020-08-24 13:18:59 WARNING:[ENGINE] No environment ID given, one has been generated (w2rlta48)
2020-08-24 13:18:59 DEBUG:[ENGINE] Engine created with strategy [TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-| \/ (ID w2rlta48) to port 80
2020-08-24 13:18:59 DEBUG:[ENGINE] Configuring iptables rules
2020-08-24 13:18:59 DEBUG:[ENGINE] iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 2
2020-08-24 13:18:59 DEBUG:[ENGINE] iptables -A INPUT -p tcp --sport 80 -j NFQUEUE --queue-num 1
2020-08-24 13:18:59 DEBUG:[ENGINE] iptables -A OUTPUT -p udp --dport 80 -j NFQUEUE --queue-num 2
2020-08-24 13:18:59 DEBUG:[ENGINE] iptables -A INPUT -p udp --sport 80 -j NFQUEUE --queue-num 1
2020-08-24 13:18:59 DEBUG:[ENGINE] NFQueue Initialized after 0
2020-08-24 13:19:00 ERROR:[ENGINE] Exception out of run_nfqueue() (direction=in)
Traceback (most recent call last):
  File "engine.py", line 197, in run_nfqueue
    nfqueue.run_socket(nfqueue_socket)
SystemError: <method 'run_socket' of 'netfilterqueue.NetfilterQueue' objects> returned NULL without setting an error
2020-08-24 13:19:00 ERROR:[ENGINE] Exception out of run_nfqueue() (direction=out)
Traceback (most recent call last):
  File "engine.py", line 197, in run_nfqueue
    nfqueue.run_socket(nfqueue_socket)
SystemError: <method 'run_socket' of 'netfilterqueue.NetfilterQueue' objects> returned NULL without setting an error

OS: Ubuntu 20.04

Any idea on what I can do to help to debug the issue?

Thanks

How to use it ?

Hi,
I want to know if it is possible to run this on my server and connect to the server with the android client using some protocols like Shadowsocks or OpenVPN to have free internet on my android client or not ?

Server side evaluation using docker

I am trying to run the server side evaluation strategy using inbuilt censors with the help of docker.
Cmd : sudo python3 evolve.py --server-side --test-type echo --censor censor2 --log debug

But I am receiving following error:
File "/code/actions/utils.py", line 97, in parse
raise actions.tree.ActionTreeParseError("Failed to parse tree")
actions.tree.ActionTreeParseError: Failed to parse tree

This error got resolved by using this modified command:
sudo python3 evolve.py --strategy "/" --server-side --test-type echo --censor censor2 --log debug

But new error is displayed:
File "/home/chhavi/ACN/Geneva/geneva/evaluator.py", line 256, in run_test
ind.fitness = server.punish_fitness(ind.fitness, self.logger)
AttributeError: 'NoneType' object has no attribute 'punish_fitness'

I think the main cause of above errors are that engine is running from client side rather than server side.

Can you please tell me how to run server side evaluation using dockers.

Internal evaluation (training) on the server-side returns a subprocess timeout error

python3 evolve.py --population 200 --generations 25 --test-type http --server forbidden.org --censor censor4 --server-side

File "/home/abe/geneva/evaluator.py", line 322, in run_docker_client
self.exec_cmd(command)
File "/home/abe/geneva/evaluator.py", line 494, in exec_cmd
subprocess.check_call(command, timeout=60)
File "/usr/lib/python3.9/subprocess.py", line 373, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['docker', 'exec', '--privileged', 'client_canary', 'python', 'code/plugins/plugin_client.py', '--server', '172.17.0.4', '--test-type', 'http', '--strategy', "''", '--log', 'debug', '--output-directory', 'trials/2022-06-22_11:40:18', '--server-side', '--port', '3818', '--censor', 'censor4', '--workers', '1', '--bad-word', 'ultrasurf', '--runs', '1', '--fitness-by', 'avg', '--no-engine', '--server', '172.17.0.4', '--wait-for-censor', '--host-header', "''", '--injected-http-contains', "''", '--environment-id', 'canary']' returned non-zero exit status 1.
Exception in thread Thread-1:

subprocess.Popen issues on Windows

This is why we write tests :)

actions\tree.py:458: in pretty_print
    DotExporter(newroot).to_picture("tree.png")
C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\lib\site-packages\anytree\exporter\dotexporter.py:268: in to_picture
    check_call(cmd)
C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\lib\subprocess.py:342: in check_call
    retcode = call(*popenargs, **kwargs)
C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\lib\subprocess.py:323: in call
    with Popen(*popenargs, **kwargs) as p:
C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\lib\subprocess.py:775: in __init__
    restore_signals, start_new_session)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

self = <subprocess.Popen object at 0x00000200239E4518>
args = 'dot C:\\Users\\GEHUGHEY\\AppData\\Local\\Temp\\tmpqik02k1j -T png -o tree.png', executable = None
preexec_fn = None, close_fds = True, pass_fds = (), cwd = None, env = None
startupinfo = <subprocess.STARTUPINFO object at 0x00000200239E4A20>, creationflags = 0, shell = False, p2cread = -1
p2cwrite = -1, c2pread = -1, c2pwrite = -1, errread = -1, errwrite = -1, unused_restore_signals = True
unused_start_new_session = False

Keenetic routers support.

Please add instructions to add to Keenetic routers

make a v2ray like proxy tools and port to golang

as the title tl;dr easy deploy and less traffic
make a v2ray like proxy tools which can bypass almost network package,except dns resolv package
port to golang which makes easier deploy

OSError: Failed to create queue 1.

Hi, thank you for help in advance...

I get error OSError: Failed to create queue 1.
Python: 3.10.7
Kernel: archlinux 5.19.12-arch1-1-amd64

# python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
/usr/lib/python3.10/site-packages/scapy/layers/ipsec.py:471: CryptographyDeprecationWarning: Blowfish has been deprecated
  cipher=algorithms.Blowfish,
/usr/lib/python3.10/site-packages/scapy/layers/ipsec.py:485: CryptographyDeprecationWarning: CAST5 has been deprecated
  cipher=algorithms.CAST5,
WARNING:[ENGINE] No environment ID given, one has been generated (parw9j5p)
DEBUG:[ENGINE] Engine created with strategy [TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-| \/ (ID parw9j5p) to port 80
DEBUG:[ENGINE] Configuring iptables rules
DEBUG:[ENGINE] iptables -A OUTPUT -p tcp --match tcp --dport 80 -j NFQUEUE --queue-num 2
DEBUG:[ENGINE] iptables -A INPUT -p tcp --match tcp --sport 80 -j NFQUEUE --queue-num 1
DEBUG:[ENGINE] iptables -A OUTPUT -p udp --match udp --dport 80 -j NFQUEUE --queue-num 2
DEBUG:[ENGINE] iptables -A INPUT -p udp --match udp --sport 80 -j NFQUEUE --queue-num 1
Traceback (most recent call last):
  File "/opt/anti_c/geneva-master/engine.py", line 470, in <module>
    main(vars(get_args()))
  File "/opt/anti_c/geneva-master/engine.py", line 454, in main
    with Engine(args["server_port"],
  File "/opt/anti_c/geneva-master/engine.py", line 130, in __enter__
    self.initialize_nfqueue()
  File "/opt/anti_c/geneva-master/engine.py", line 272, in initialize_nfqueue
    self.in_nfqueue.bind(self.in_queue_num, self.in_callback)
  File "netfilterqueue/_impl.pyx", line 270, in netfilterqueue._impl.NetfilterQueue.bind
OSError: Failed to create queue 1.

Another question:Does geneva help me on https too?!

geneva error: Traceback (most recent call last)

python3 engine.py --server-port 80 --strategy "\/" --log debug

        PIP package scapy-python3 used to provide scapy3k, which was a fork from scapy implementing python3 compatibility since 2016. This package was included in some of the Linux distros under name of python3-scapy. Starting from scapy version 2.4 (released in March, 2018) mainstream scapy supports python3. To reduce any confusion scapy3k was renamed to kamene. 
You should use either pip package kamene for scapy3k (see http://github.com/phaethon/kamene for differences in use) or mainstream scapy (pip package scapy, http://github.com/secdev/scapy).  

Traceback (most recent call last):
  File "/home/msadr471/Documents/App/geneva/engine.py", line 28, in <module>
    import layers.packet
  File "/home/msadr471/Documents/App/geneva/layers/packet.py", line 4, in <module>
    import layers.layer
  File "/home/msadr471/Documents/App/geneva/layers/layer.py", line 8, in <module>
    from scapy.all import IP, RandIP, UDP, DNS, DNSQR, Raw, TCP, fuzz
  File "/home/msadr471/.local/lib/python3.10/site-packages/scapy/all.py", line 5, in <module>
    raise Exception(msg)
Exception: 
        PIP package scapy-python3 used to provide scapy3k, which was a fork from scapy implementing python3 compatibility since 2016. This package was included in some of the Linux distros under name of python3-scapy. Starting from scapy version 2.4 (released in March, 2018) mainstream scapy supports python3. To reduce any confusion scapy3k was renamed to kamene. 
You should use either pip package kamene for scapy3k (see http://github.com/phaethon/kamene for differences in use) or mainstream scapy (pip package scapy, http://github.com/secdev/scapy).

sudo python3 engine.py --server-port 80 --strategy "\/" --log debug
Traceback (most recent call last):
  File "/home/msadr471/Documents/App/geneva/engine.py", line 22, in <module>
    from scapy.layers.inet import IP
ModuleNotFoundError: No module named 'scapy'

what is wrong with scapy?
How do I fix this?

use geneva with Telegram MTProto Protocol

Hi guys, I install geneva successfully. How can use it with Telegram MTProto Protocol?
Thanks in advanced.

Error: PermissionError: [Errno 1] Operation not permitted

I'm using eth to run below engine but throws permission denied error.

Note: I'm using python virtualenv environment and running as a non-root user.

$python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
2021-08-30 21:07:04 WARNING:[ENGINE] No environment ID given, one has been generated (6kgpb2xu)
Traceback (most recent call last):
  File "engine.py", line 444, in main
    eng = Engine(args["server_port"],
  File "engine.py", line 103, in __init__
    self.strategy = actions.utils.parse(string_strategy, self.logger)
  File "/home/xyz/geneva/actions/utils.py", line 93, in parse
    success = new_tree.parse(str_action, logger)
  File "/home/xyz/geneva/actions/tree.py", line 208, in parse
    self.action_root = self.do_parse(self.action_root, tree, logger)
  File "/home/xyz/geneva/actions/tree.py", line 143, in do_parse
    action_obj = actions.action.Action.parse_action(action_string, self.direction, logger)
  File "/home/xyz/geneva/actions/action.py", line 149, in parse_action
    outs = Action.get_actions("out")
  File "/home/xyz/geneva/actions/action.py", line 126, in get_actions
    clsmembers = inspect.getmembers(sys.modules["actions."+action], predicate=check_action)
  File "/home/xyz/.asdf/installs/python/3.8.0/lib/python3.8/inspect.py", line 363, in getmembers
    if not predicate or predicate(value):
  File "/home/xyz/geneva/actions/action.py", line 122, in check_action
    obj().applies(direction) and \
  File "/home/xyz/geneva/actions/trace.py", line 39, in __init__
    self.socket = conf.L3socket(iface=actions.utils.get_interface())
  File "/home/xyz/geneva/venv/lib/python3.8/site-packages/scapy/arch/linux.py", line 467, in __init__
    self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))  # noqa: E501
  File "/home/xyz/.asdf/installs/python/3.8.0/lib/python3.8/socket.py", line 231, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
PermissionError: [Errno 1] Operation not permitted

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "engine.py", line 463, in <module>
    main(vars(get_args()))
  File "engine.py", line 459, in main
    eng.shutdown_nfqueue()
UnboundLocalError: local variable 'eng' referenced before assignment

FileNotFoundError: [Errno 2] No such file or directory: b'liblibc.a'

I'm triying to test Geneva on ArchLinux and I got error: FileNotFoundError: [Errno 2] No such file or directory: b'liblibc.a'

$sudo python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
python3 engine.py --server-port 80 --strategy "[TCP:flags:PA]-duplicate(tamper{TCP:dataofs:replace:10}(tamper{TCP:chksum:corrupt},),)-|" --log debug
Traceback (most recent call last):
  File "/opt/Geneva/geneva/engine.py", line 22, in <module>
    from scapy.layers.inet import IP
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/layers/inet.py", line 25, in <module>
    from scapy.layers.l2 import Ether, Dot3, getmacbyip, CookedLinux, GRE, SNAP, \
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/layers/l2.py", line 17, in <module>
    from scapy.ansmachine import AnsweringMachine
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/ansmachine.py", line 16, in <module>
    from scapy.sendrecv import send, sniff
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/sendrecv.py", line 35, in <module>
    import scapy.route  # noqa: F401
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/route.py", line 194, in <module>
    conf.route = Route()
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/route.py", line 27, in __init__
    self.resync()
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/route.py", line 33, in resync
    from scapy.arch import read_routes
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/arch/__init__.py", line 28, in <module>
    from scapy.arch.bpf.core import get_if_raw_addr
  File "/opt/home/user01/.local/lib/python3.10/site-packages/scapy/arch/bpf/core.py", line 31, in <module>
    LIBC = cdll.LoadLibrary(find_library("libc"))
  File "/usr/lib/python3.10/ctypes/util.py", line 330, in find_library
    _get_soname(_findLib_gcc(name)) or _get_soname(_findLib_ld(name))
  File "/usr/lib/python3.10/ctypes/util.py", line 147, in _findLib_gcc
    if not _is_elf(file):
  File "/usr/lib/python3.10/ctypes/util.py", line 99, in _is_elf
    with open(filename, 'br') as thefile:
FileNotFoundError: [Errno 2] No such file or directory: b'liblibc.a'

I have been installed all requirements.txt:

python3 -m pip install -r requirements.txt
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: pytest in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 1)) (7.1.3)
Requirement already satisfied: scapy==2.4.3 in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 2)) (2.4.3)
Requirement already satisfied: requests in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 3)) (2.28.2)
Requirement already satisfied: dnspython in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 4)) (2.3.0)
Requirement already satisfied: docker in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 5)) (6.0.0)
Requirement already satisfied: anytree in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 6)) (2.8.0)
Requirement already satisfied: graphviz in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 7)) (0.20.1)
Requirement already satisfied: netifaces in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 8)) (0.11.0)
Requirement already satisfied: netfilterqueue in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 9)) (1.0.0)
Requirement already satisfied: cryptography==3.3.2 in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 10)) (3.3.2)
Requirement already satisfied: paramiko in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 11)) (2.11.0)
Requirement already satisfied: codecov in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 12)) (2.1.12)
Requirement already satisfied: pytest-cov in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 13)) (4.0.0)
Requirement already satisfied: tld in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 15)) (0.12.6)
Requirement already satisfied: python-dotenv in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 16)) (0.21.0)
Requirement already satisfied: mysql-connector in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 17)) (2.2.9)
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 18)) (4.11.2)
Requirement already satisfied: psutil in /usr/lib/python3.10/site-packages (from -r requirements.txt (line 20)) (5.9.4)
Requirement already satisfied: tqdm in /opt/home/solon/.local/lib/python3.10/site-packages (from -r requirements.txt (line 21)) (4.65.0)
Requirement already satisfied: six>=1.4.1 in /usr/lib/python3.10/site-packages (from cryptography==3.3.2->-r requirements.txt (line 10)) (1.16.0)
Requirement already satisfied: cffi>=1.12 in /usr/lib/python3.10/site-packages (from cryptography==3.3.2->-r requirements.txt (line 10)) (1.15.1)
Requirement already satisfied: tomli>=1.0.0 in /usr/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (2.0.1)
Requirement already satisfied: py>=1.8.2 in /opt/home/solon/.local/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (1.11.0)
Requirement already satisfied: iniconfig in /opt/home/solon/.local/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (1.1.1)
Requirement already satisfied: packaging in /usr/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (23.0)
Requirement already satisfied: attrs>=19.2.0 in /opt/home/solon/.local/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (21.4.0)
Requirement already satisfied: pluggy<2.0,>=0.12 in /opt/home/solon/.local/lib/python3.10/site-packages (from pytest->-r requirements.txt (line 1)) (1.0.0)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3.10/site-packages (from requests->-r requirements.txt (line 3)) (1.26.13)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3.10/site-packages (from requests->-r requirements.txt (line 3)) (3.4)
Requirement already satisfied: websocket-client>=0.32.0 in /opt/home/solon/.local/lib/python3.10/site-packages (from docker->-r requirements.txt (line 5)) (1.5.1)
Requirement already satisfied: bcrypt>=3.1.3 in /opt/home/solon/.local/lib/python3.10/site-packages (from paramiko->-r requirements.txt (line 11)) (4.0.0)
Requirement already satisfied: pynacl>=1.0.1 in /opt/home/solon/.local/lib/python3.10/site-packages (from paramiko->-r requirements.txt (line 11)) (1.5.0)
Requirement already satisfied: coverage in /opt/home/solon/.local/lib/python3.10/site-packages (from codecov->-r requirements.txt (line 12)) (6.5.0)
Requirement already satisfied: soupsieve>1.2 in /usr/lib/python3.10/site-packages (from beautifulsoup4->-r requirements.txt (line 18)) (2.4)
Requirement already satisfied: pycparser in /usr/lib/python3.10/site-packages (from cffi>=1.12->cryptography==3.3.2->-r requirements.txt (line 10)) (2.21)

Linux user01-pc 6.2.12-arch1-1

Any help is appreciated.

Add setup documentation for other linux distros like arch

Running geneva on server side (router)

Hello, there are quote in your README that you can run the Geneva from the server side, but i found no docs for this case.
Is there anyway to launch this on router (for example Openwrt) for avoiding DPI. How it will work as a server. May be there are some links I haven't seen.

How to setup alpha version in Windows 10?

I noticed on your website it said windows support is in alpha. Just wondering how to set it up on Windows, or if it is even useable on Windows?

Windows Support

Add Windows support for Geneva

geneva

What should I do if the server is particularly memory hungry?

how to deal with Code 501

when i run the strategies with geneva towards GFW,most of it blocked by RST+3*(RST,ACK).the others are Code 501. 501 means success?or something wrong?

My Geneva is not working properly，Who can help me？

NAT problem

I found an issue with the NAT logic in your code. If the source IP address of a packet is changed to the IP address of the front router itself, the router will not perform NAT because the incoming packet is not from local network. As a result, the packet will not be correctly translated.

i have tested this with different routers and didn't work

sudo python3 engine.py --sender-ip myLocalIP --forward-ip destIP --routing-ip myPublicIpOnRouter --server-port 1289 --strategy "[TCP:flags:A]-duplicate(duplicate(duplicate,duplicate),duplicate(duplicate,duplicate(duplicate(duplicate,),)))-|" --log debug

No strategies found

So i run geneva evolve with population of 300 and generation of 25 but was not able to find any working strategy. The censor basically forbids traffic by sending a RST+ACK to both directions (to client and to server). What could be the issue. Is geneva just not effective anymore?

run as systemd issue

OS: centos 7
systemd service
`[Unit]
Description=Geneva Server
[Service]
Type=simple
User=root
WorkingDirectory=/home/centos/geneva
ExecStart=/usr/bin/python3 /home/centos/geneva/engine.py --server-port mult-ports --strategy "XXXXX"

ExecReload=/bin/kill -HUP $MAINPID
Restart=always

[Install]
WantedBy=multi-user.target`

1st run,type iptables -L,
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2

then,systemctl restart Geneva.service,
iptbables -L
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2

if i do it again,systemctl restart Geneva.service,
iptbables -L showed
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE tcp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2
NFQUEUE udp -- anywhere anywhere multiport dports XXXX NFQUEUE num 2

Engine: Ability to set log file logging level

Currently Geneva engine.py always write log to file with logging level debug regardless of --log level parameter, but it can be problem when downloading a large file or having too many connections, the log file can grow so quickly

os support

please add windows os support we are in Iran suffering from internet Censorship
tnx a lot

Add existing engine and action tests

question about Server side

hi
I don't understand one thing, in the Geneva documents it said, "Geneva runs strictly on one side of the connection (either the client or server side)". my question is, if I run Geneva on my server to make connection just use vpn's or proxy for connecting to the server????
I have OpenVPN, Wireguard and shadowsocks on the server and only shadowsocks work from Iran and many use my server right now i want to ask this before do anything.

Where working strategies are stored

After evolving new strategies , where does geneva store strategies that successfully evaded the censorship.

libc.a not found

I found an issue with the location of libc.a in most Debian-based distributions. In most Debian distros, libc.a is not located in /usr/lib64/libc.a, but instead is located in /usr/lib/x86_64-linux-gnu/libc.a. This can cause issues for programs or scripts that rely on the location of libc.a.

To address this issue, I suggest updating any relevant documentation or scripts to reflect the correct location of libc.a in Debian-based distributions. Alternatively, you can use the following installation script to detect the correct location of libc.a based on the distribution being used:

#!/bin/bash

# Find the location of libc.a
LIBC_PATH=$(find /usr/lib /usr/lib64 -name libc.a | head -n 1)

# Check if libc.a was found
if [[ -z "$LIBC_PATH" ]]; then
  echo "Error: libc.a not found"
  exit 1
fi

echo "Using libc.a located at: $LIBC_PATH"

# Continue with the installation using the correct path to libc.a

This script uses find to search for libc.a in the /usr/lib and /usr/lib64 directories, which are the most common locations for system libraries. The head command is used to return only the first result found, which should be the correct location of libc.a.

How to evolve DNS strategies

command：python3 evolve.py --test-type dns --log debug --strategy "\/"
Error：

Traceback (most recent call last):
  File "evolve.py", line 835, in <module>
    driver(sys.argv[1:])
  File "evolve.py", line 814, in driver
    hall_of_fame = genetic_solve(logger, options, ga_evaluator)
  File "evolve.py", line 526, in genetic_solve
    population = initialize_population(logger, options, canary_id, disabled=options["disable_action"])
  File "evolve.py", line 495, in initialize_population
    p = generate_strategy(logger, options["in-trees"], options["out-trees"], options["in-actions"],
  File "evolve.py", line 308, in generate_strategy
    strat.initialize(logger, num_in_trees, num_out_trees, num_in_actions, num_out_actions, seed, disabled=disabled)
  File "/root/xsd/pk/geneva/actions/strategy.py", line 75, in initialize
    self.init_from_scratch(num_in_trees, num_out_trees, num_in_actions, num_out_actions, disabled=disabled)
  File "/root/xsd/pk/geneva/actions/strategy.py", line 94, in init_from_scratch
    out_tree.initialize(num_out_actions, self.environment_id, disabled=disabled)
  File "/root/xsd/pk/geneva/actions/tree.py", line 47, in initialize
    self.trigger = actions.trigger.Trigger(None, None, None, environment_id=environment_id)
  File "/root/xsd/pk/geneva/actions/trigger.py", line 40, in __init__
    self.trigger_type, self.trigger_proto, self.trigger_field, self.trigger_value, self.gas_remaining = Trigger.get_rand_trigger(environment_id, 1)
  File "/root/xsd/pk/geneva/actions/trigger.py", line 61, in get_rand_trigger
    proto, field, value = actions.utils.get_from_fuzzed_or_real_packet(environment_id, real_packet_probability, enable_options=False, enable_load=False)
  File "/root/xsd/pk/geneva/actions/utils.py", line 403, in get_from_fuzzed_or_real_packet
    return packet.get_random()
  File "/root/xsd/pk/geneva/layers/packet.py", line 235, in get_random
    layer = self.get_random_layer()
  File "/root/xsd/pk/geneva/layers/packet.py", line 229, in get_random_layer
    return self.layers[random.choice(list(self.layers.keys()))]
  File "/usr/lib/python3.8/random.py", line 290, in choice
    raise IndexError('Cannot choose from an empty sequence') from None
IndexError: Cannot choose from an empty sequence

FileNotFoundError: [Errno 2] No such file or directory: b'liblibc.a'

Trying to test on a fresh Debian 11,

first

apt-get install build-essential python-dev libnetfilter-queue-dev libffi-dev libssl-dev iptables python3-pip

second

python3 -m pip install -r requirements.txt

...

Successfully built scapy mysql-connector netfilterqueue
Installing collected packages: pycparser, tomli, pluggy, packaging, iniconfig, exceptiongroup, coverage, charset-normalizer, cffi, soupsieve, requests, pytest, pynacl, cryptography, bcrypt, tqdm, tld, scapy, python-dotenv, pytest-cov, psutil, paramiko, netifaces, netfilterqueue, mysql-connector, graphviz, docker, dnspython, codecov, beautifulsoup4, anytree
  Attempting uninstall: requests
    Found existing installation: requests 2.25.1
    Not uninstalling requests at /usr/lib/python3/dist-packages, outside environment /usr
    Can't uninstall 'requests'. No files were found to uninstall.
Successfully installed anytree-2.12.1 bcrypt-4.1.2 beautifulsoup4-4.12.3 cffi-1.16.0 charset-normalizer-3.3.2 codecov-2.1.13 coverage-7.4.3 cryptography-3.3.2 dnspython-2.6.1 docker-7.0.0 exceptiongroup-1.2.0 graphviz-0.20.1 iniconfig-2.0.0 mysql-connector-2.2.9 netfilterqueue-1.1.0 netifaces-0.11.0 packaging-23.2 paramiko-3.4.0 pluggy-1.4.0 psutil-5.9.8 pycparser-2.21 pynacl-1.5.0 pytest-8.0.2 pytest-cov-4.1.0 python-dotenv-1.0.1 requests-2.31.0 scapy-2.4.3 soupsieve-2.5 tld-0.13 tomli-2.0.1 tqdm-4.66.2

third

trying to test

geneva (master)# python3 ./engine.py --server-port 8080 --strategy "\/" --log debug
Traceback (most recent call last):
  File "/opt/app/geneva/./engine.py", line 22, in <module>
    from scapy.layers.inet import IP
  File "/usr/local/lib/python3.9/dist-packages/scapy/layers/inet.py", line 25, in <module>
    from scapy.layers.l2 import Ether, Dot3, getmacbyip, CookedLinux, GRE, SNAP, \
  File "/usr/local/lib/python3.9/dist-packages/scapy/layers/l2.py", line 17, in <module>
    from scapy.ansmachine import AnsweringMachine
  File "/usr/local/lib/python3.9/dist-packages/scapy/ansmachine.py", line 16, in <module>
    from scapy.sendrecv import send, sniff
  File "/usr/local/lib/python3.9/dist-packages/scapy/sendrecv.py", line 35, in <module>
    import scapy.route  # noqa: F401
  File "/usr/local/lib/python3.9/dist-packages/scapy/route.py", line 194, in <module>
    conf.route = Route()
  File "/usr/local/lib/python3.9/dist-packages/scapy/route.py", line 27, in __init__
    self.resync()
  File "/usr/local/lib/python3.9/dist-packages/scapy/route.py", line 33, in resync
    from scapy.arch import read_routes
  File "/usr/local/lib/python3.9/dist-packages/scapy/arch/__init__.py", line 28, in <module>
    from scapy.arch.bpf.core import get_if_raw_addr
  File "/usr/local/lib/python3.9/dist-packages/scapy/arch/bpf/core.py", line 31, in <module>
    LIBC = cdll.LoadLibrary(find_library("libc"))
  File "/usr/lib/python3.9/ctypes/util.py", line 341, in find_library
    _get_soname(_findLib_gcc(name)) or _get_soname(_findLib_ld(name))
  File "/usr/lib/python3.9/ctypes/util.py", line 147, in _findLib_gcc
    if not _is_elf(file):
  File "/usr/lib/python3.9/ctypes/util.py", line 99, in _is_elf
    with open(filename, 'br') as thefile:
FileNotFoundError: [Errno 2] No such file or directory: b'liblibc.a'

and it seems the lib has been installed

find / -name libc.a
/usr/lib/x86_64-linux-gnu/libc.a

and it seems relevant to #61

Make geneva a package

Distributing geneva as python project is desirable because it

enables re-usage of code though other projects by making geneva a dependency
improves dependency specification through poetry
makes installation easier and might help with os independence
provides a clearer structure for imports
allows working-directory independent execution

I created a draft of how this could look like at https://github.com/VwCSXg/geneva/tree/pyproject.
It mostly works, however some tests are failing or not finishing at all and I didn't manage to run pytest even on the main branch which is why I can`t really pin down the problems created by refactoring geneva as a package.
Help in fixing those issues would be much appreciated :)

Failure when the number of connections are huge!

i run it in server mode and with no strategy with the command python3 engine.py --server-port 2083 --strategy "\/" --server-side --log debug for debugging, it works fine when the number of connections are low, but when it reaches about 15k of connections, the client side will fail!

kkevsterrr / geneva Goto Github PK

geneva's Introduction

Geneva

Setup

Running a Strategy

Strategy Library

Disclaimer

How it Works

Censorship Evasion Strategies

Strategy DNA

Engine

Citation

Paper

Contributors

geneva's People

Contributors

Stargazers

Watchers

Forkers

geneva's Issues

first

second

third

Recommend Projects

Recommend Topics

Recommend Org

Jobs