From 2157fed5928368af289b36d8441782fdde33f07f Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 1 Mar 2024 17:38:40 +0300 Subject: [PATCH] remove old custom script --- init.d/sysv/custom-nfqws-quic4all-complex | 65 ----------------------- 1 file changed, 65 deletions(-) delete mode 100644 init.d/sysv/custom-nfqws-quic4all-complex diff --git a/init.d/sysv/custom-nfqws-quic4all-complex b/init.d/sysv/custom-nfqws-quic4all-complex deleted file mode 100644 index d5450b1..0000000 --- a/init.d/sysv/custom-nfqws-quic4all-complex +++ /dev/null @@ -1,65 +0,0 @@ -# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering -# and also sends special fake on the first outgoing packet with short header and udp.length>600 -# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" -# need to add to config : NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER="--dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-unknown-udp=/opt/zapret/files/fake/quic_short_header.bin --dpi-desync-cutoff=n2" -# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received - -# this hack was first intended for TSPU but it appeared that it's overkill - -QNUM2=$(($QNUM+10)) -QNUM3=$(($QNUM+11)) - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=nfqws - local opt - - zapret_do_daemons $1 - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - do_nfqws $1 100 "$opt" - - opt="--qnum=$QNUM3 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER" - do_nfqws $1 101 "$opt" -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=nfqws - local f - local first_packets_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:3" - local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - local udplen="-m length --length 601:1500" - local short_header4="-m u32 --u32 0>>22&0x3C@8>>24&0xC0=0x40" - - zapret_do_firewall_rules_ipt $1 - - f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 - # this for ipv4 only. do not have access to ipv6 enabled TSPU to test - fw_nfqws_post $1 "$f $desync $udplen $short_header4" "" $QNUM3 - -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local MODE_OVERRIDE=nfqws - local f - local first_packets_only="ct original packets 1-3" - local desync="mark and $DESYNC_MARK == 0" - local udplen="udp length 601-1500" - local short_header4="@th,64,2 1" - - zapret_apply_firewall_rules_nft - - f="udp dport {$QUIC_PORTS}" - nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 - # this for ipv4 only. do not have access to ipv6 enabled TSPU to test - nft_fw_nfqws_post "$f $desync $udplen $short_header4" "" $QNUM3 - # add flow offload exemption for the whole stream because we dont know when short_header rule triggers - nft_add_flow_offload_exemption "$f" "" "QUIC exemption for complex TSPU hack" -}