840713a359
Merge pull request #847 from AndreyOsipuk/feat/client-mss-relay
...
feat(server): client_mss_bulk — fragment only the handshake, restore MSS for bulk data (cuts pps)
2026-06-20 22:10:04 +03:00
50b67a93d6
feat(server): client_mss_bulk — raise MSS after handshake to cut pps
...
client_mss (e.g. "tspu", MSS=92) fragments the whole connection to evade
DPI on the ServerHello, but it also fragments bulk payload, multiplying
outgoing packets-per-second ~10x. On hosts whose abuse detection counts
pps (not bandwidth) this trips packet-flood limits.
Add an optional [server].client_mss_bulk: keep the low client_mss for the
handshake (ServerHello stays fragmented => DPI bypass intact), then raise
the client socket MSS to client_mss_bulk once the connection enters the
post-handshake (bulk transfer) phase, so bulk data uses normal-size
segments and pps drops back to normal. Same preset/int grammar as
client_mss. Opt-in: when unset, the handshake MSS is kept for the whole
connection (unchanged behavior).
Linux-only (setsockopt TCP_MAXSEG via raw fd, mirroring TCP_USER_TIMEOUT);
no-op on other unix. Documented in CONFIG_PARAMS.{en,ru}.
2026-06-19 11:11:01 +03:00
72800e4aa7
Harden masking fallback and frame readers after flow sync
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-17 21:48:57 +03:00
49742d38a7
Merge pull request #843 from amirotin/fix/config-api-section-corruption
...
Fix config API corrupting nested sub-tables on save
2026-06-15 20:55:56 +03:00
869d8517a0
Rustfmt
2026-06-15 10:40:45 +03:00
e82ce634d6
Use tokio::fs for I/O in config API tests
...
The save and patch paths under test are async, so the tests now use tokio::fs instead of blocking std::fs. The config_store tests also switch to tempfile::tempdir() for panic-safe cleanup instead of manual remove_dir_all.
2026-06-15 10:05:09 +03:00
f1f46fac42
Fix config API corrupting nested sub-tables on save
...
render_top_level_section serialized a section in isolation, so nested sub-tables ([general.links], [general.modes]) were emitted as bare [links]/[modes] top-level headers and duplicated on load. Serialize the section inside a wrapper keyed by its name to keep dotted headers.
find_toml_table_bounds only spanned the first contiguous block, leaving scattered sub-tables behind as duplicates on repeated saves. Replace it with find_all_table_blocks and drop every block belonging to the section during upsert.
show_link is a legacy top-level scalar/array, not a [table]; the upsert machinery appended a bare key at EOF (landing inside the previous table) and duplicated it on repeat. Remove it from EDITABLE_SECTIONS; the editable general.links.show sub-table covers the case.
Add tests for dotted sub-tables, idempotent saves, non-contiguous layouts, show_link rejection, and integer/float/string coercion of public_port.
2026-06-15 09:49:47 +03:00
37d0184a0b
Implement shared MTProto framing and ME address role separation
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-15 08:50:08 +03:00
d81d7dba62
Rustfmt
2026-06-14 19:59:06 +03:00
04b8d8365c
Account for full-word paddings in roundtrip tests
2026-06-14 19:38:54 +03:00
2e26bfb86e
Updated secure padding expectations for VersionD
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-14 16:33:41 +03:00
d414c73c9b
Hardened KDF-Tuple + NAT Probing + Paddings
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-14 16:15:41 +03:00
d1a97fe10f
Update README.md
2026-06-14 12:03:55 +03:00
b153782597
More efficient Relay Mode
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-13 23:22:50 +03:00
9dc67727b0
Merge pull request #840 from telemt/flow
...
Restore single-record TLS-F primary application flight + Fix SYN limiter lifecycle and default burst
2026-06-12 15:23:23 +03:00
2d02fbe548
Bump
2026-06-12 15:06:14 +03:00
2675779915
Fix SYN limiter lifecycle and default burst
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-12 14:40:26 +03:00
c4954f745f
Restore single-record TLS-F primary application flight
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-12 12:44:22 +03:00
f33abfb09e
Merge pull request #838 from telemt/flow
...
SYN limiter for Netfilter control + Syntactic key shares for TLS-F
2026-06-12 10:08:25 +03:00
9904da737a
Rustfmt
2026-06-12 01:28:41 +03:00
9a3ff726b2
Use token-bucket SYN limiter backends
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-12 01:27:03 +03:00
942882f9de
SYN Limiter interval and hitcount in Config
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-12 00:29:23 +03:00
eeff16c3fd
Rustfmt
2026-06-12 00:01:01 +03:00
c86dc2f65e
Docs for SYN Limiter
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 23:59:47 +03:00
1cbde70a14
Add per-listener SYN limiter for Netfilter control
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 23:58:48 +03:00
26cd4734de
Update tls.rs
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 23:29:10 +03:00
52a1b66ad7
Syntactic key shares for TLS-F
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 23:13:21 +03:00
9ff48c2028
Merge pull request #836 from telemt/flow
...
API + TLS-F Advanced tuning
2026-06-11 21:08:11 +03:00
b43c683615
Rustfmt
2026-06-11 19:59:48 +03:00
e41470fb4c
Update fetcher.rs
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 19:52:23 +03:00
09dc0cb76c
Update handshake_security_tests.rs
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 19:44:39 +03:00
c36eb81808
Fix for TLS-F, ALPN и SNI/ALPN helpers
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 19:17:06 +03:00
0f8aca56d9
Fix fallback test record iterator lifetime
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 17:56:21 +03:00
4e66933a35
Fix TLS masking test ClientHello fixtures and tail write ordering
2026-06-11 17:51:05 +03:00
7cf00db242
Update client_masking_budget_security_tests.rs
2026-06-11 17:32:26 +03:00
8bc1ac06d6
Update client_masking_budget_security_tests.rs
2026-06-11 17:31:23 +03:00
59cfcf05d3
Update client_masking_blackhat_campaign_tests.rs
2026-06-11 17:23:35 +03:00
fcbedf66ea
Update client_masking_blackhat_campaign_tests.rs
2026-06-11 17:21:54 +03:00
f5c402d9fc
Update metrics.rs
2026-06-11 16:43:24 +03:00
118d53239a
Merge pull request #835 from telemt/flow-ey
...
TLS Fixes escalating
2026-06-11 16:38:10 +03:00
607f5442ad
Merge pull request #834 from telemt/flow-11ec
...
TLS Fixes
2026-06-11 16:37:15 +03:00
1edd63bfb1
Rustfmt + Bump
2026-06-11 16:36:33 +03:00
a808dc2815
Fix TLS fetch test constants scope
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 16:34:58 +03:00
6dc9f8c27a
Replay-safe TLS-F ServerHello profile consistency
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 16:11:41 +03:00
409b0ef5ee
Expose TLS Fetcher Profile Quality for ServerHello fidelity
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 14:53:21 +03:00
3d0560d583
Select ServerHello key share from TLS Fetcher Profile
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 14:43:03 +03:00
62af515504
Generate Valid X25519MLKEM768 ServerHello key shares
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 14:14:09 +03:00
eba55e755d
Preserve TLS-F Origin Record Choreography
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 13:51:58 +03:00
c4b58ad374
Hardened TLS-F ServerHello selection
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 13:07:40 +03:00
db7ff8737c
Add dynamic SNI mask target mode
...
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com >
2026-06-11 10:36:37 +03:00
Alexey