add built-in e2e test matrix

aleskxyz · aleskxyz · commit a1b8e8f69767 · 2026-05-25T19:56:38.000Z
Signed-off-by: aleskxyz &lt;39186039+aleskxyz@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ Useful options:
 | Flag | Default | Meaning |
 | ---- | ------- | ------- |
 | `-config` | `./config.ini` if it exists | INI config file; CLI flags override file values |
+| `-test` | disabled | Run the built-in e2e test matrix for the selected `-connect`/`-fake-sni` pair, then exit |
 | `-fake-sni` | hostname from `-connect` | Decoy SNI used in the injected fake ClientHello |
 | `-fake-repeat` | `1` | Number of fake ClientHello injections |
 | `-fake-delay` | `2ms` | Delay after fake injection before forwarding real traffic |
@@ -93,6 +94,16 @@ sni-chunk = 3
 
 The repository includes `config.example.ini`; copy it to `config.ini` to use the automatic default config loading.
 
+Method test:
+
+```bash
+./sni-spoofing-linux-amd64 -test -connect 104.19.229.21:443 -fake-sni hcaptcha.com
+```
+
+`-test` first runs a preflight check for the selected upstream IP and fake SNI. The preflight confirms that the upstream path is reachable and compares the network-visible IPs used by the test; if the upstream path is unreachable or the known IPs differ, the method is not expected to work for that pair.
+
+After preflight, it runs an e2e matrix through the local tunnel. The matrix tries the supported TLS fingerprints with one or two fake injections, both with and without real ClientHello fragmentation. `PASS` means the local tunnel completed a real HTTPS request; `FAIL` means that combination did not work in the current network conditions. If every case fails, try a different upstream IP or fake SNI. If only some cases pass, use one of the passing combinations for normal runs.
+
 ### Docker (prebuilt image)
 
 Prebuilt images are published to GitHub Container Registry:
diff --git a/config/connect.go b/config/connect.go
@@ -10,12 +10,24 @@ import (
 )
 
 func ConnectFromCLI(listenAddr, connectAddr, fakeSNIOverride string) (*Config, error) {
+	return connectFromCLI(listenAddr, connectAddr, fakeSNIOverride, false)
+}
+
+func ConnectFromCLIAllowListenPortZero(listenAddr, connectAddr, fakeSNIOverride string) (*Config, error) {
+	return connectFromCLI(listenAddr, connectAddr, fakeSNIOverride, true)
+}
+
+func connectFromCLI(listenAddr, connectAddr, fakeSNIOverride string, allowListenPortZero bool) (*Config, error) {
 	listenHost, listenPortStr, err := net.SplitHostPort(listenAddr)
 	if err != nil {
 		return nil, fmt.Errorf("listen address %q: %w", listenAddr, err)
 	}
 	listenPort, err := strconv.Atoi(listenPortStr)
-	if err != nil || listenPort < 1 || listenPort > 65535 {
+	minListenPort := 1
+	if allowListenPortZero {
+		minListenPort = 0
+	}
+	if err != nil || listenPort < minListenPort || listenPort > 65535 {
 		return nil, fmt.Errorf("invalid listen port in %q", listenAddr)
 	}
 	connectHost, connectPortStr, err := net.SplitHostPort(connectAddr)
diff --git a/config/connect_test.go b/config/connect_test.go
@@ -53,3 +53,16 @@ func TestConnectFromCLI_IPWithFakeSNI(t *testing.T) {
 		t.Fatalf("ConnectIPv4s = %v", cfg.ConnectIPv4s)
 	}
 }
+
+func TestConnectFromCLIListenPortZeroOnlyWhenAllowed(t *testing.T) {
+	if _, err := ConnectFromCLI("127.0.0.1:0", "198.51.100.2:443", "allowed.example.com"); err == nil {
+		t.Fatal("expected listen port 0 to fail in normal mode")
+	}
+	cfg, err := ConnectFromCLIAllowListenPortZero("127.0.0.1:0", "198.51.100.2:443", "allowed.example.com")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.ListenPort != 0 {
+		t.Fatalf("ListenPort = %d, want 0", cfg.ListenPort)
+	}
+}
diff --git a/injection/injector_linux.go b/injection/injector_linux.go
@@ -250,8 +250,6 @@ func (f *FakeTcpInjector) cleanupIptables() {
 	runCmd("iptables", "-D", "INPUT", "-p", "tcp",
 		"-s", f.connectIP, "--sport", port,
 		"-j", "NFQUEUE", "--queue-num", queueNum)
-
-	log.Print("iptables: cleaned")
 }
 
 func runCmd(name string, args ...string) error {
@@ -270,7 +268,9 @@ func (f *FakeTcpInjector) Start() error {
 			return 0
 		},
 		func(e error) int {
-			log.Printf("nfqueue error: %v", e)
+			if f.ctx.Err() == nil {
+				log.Printf("nfqueue error: %v", e)
+			}
 			return 0
 		},
 	)
diff --git a/injection/injector_windows.go b/injection/injector_windows.go
@@ -112,10 +112,13 @@ func (f *FakeTcpInjector) Close() {
 }
 
 func (f *FakeTcpInjector) sendPacket(raw []byte, addr *godivert.Address) error {
+	if f.shutdown.Load() {
+		return nil
+	}
 	f.sendMu.Lock()
 	_, err := f.wd.Send(raw, addr)
 	f.sendMu.Unlock()
-	if err != nil {
+	if err != nil && !f.shutdown.Load() {
 		log.Printf("WinDivert send error: %v", err)
 	}
 	return err
diff --git a/main.go b/main.go
diff --git a/main_test.go b/main_test.go

Original file line number	Diff line number	Diff line change
`@@ -112,10 +112,13 @@ func (f *FakeTcpInjector) Close() {`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`func (f FakeTcpInjector) sendPacket(raw []byte, addr godivert.Address) error {`
	`115`	`+ if f.shutdown.Load() {`
	`116`	`+ return nil`
	`117`	`+ }`
`115`	`118`	`f.sendMu.Lock()`
`116`	`119`	`_, err := f.wd.Send(raw, addr)`
`117`	`120`	`f.sendMu.Unlock()`
`118`		`- if err != nil {`
	`121`	`+ if err != nil && !f.shutdown.Load() {`
`119`	`122`	`log.Printf("WinDivert send error: %v", err)`
`120`	`123`	`}`
`121`	`124`	`return err`