drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-17 04:22:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

readme : disorder2,split2 notice

Browse Source
This commit is contained in:
bol-van 2020-02-02 19:31:11 +03:00
parent 626b1444dc
commit 257652fc5e
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/readme.eng.txt
View File

@ -42,7 +42,7 @@ In short, the options can be classified according to the following scheme:
This option is out of the scope of the project. If you do not allow ban trigger to fire, then you wont have to
deal with its consequences.
2) Modification of the TCP connection at the stream level. Implemented through a proxy or transparent proxy.
3) Modification of TCP connection at the packet level. Implemented through the NFQUEUE queue handler and raw sockets.
3) Modification of TCP connection at the packet level. Implemented through the NFQUEUE handler and raw sockets.
For options 2 and 3, tpws and nfqws programs are implemented, respectively.
You need to run them with the necessary parameters and redirect certain traffic with iptables.
@ -83,7 +83,6 @@ Then we can reduce CPU load, refusing to process unnecessary packets.
iptables -t mangle -I POSTROUTING -o <внешний_интерфейс> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 2:4 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass
ip6tables
---------
@ -190,6 +189,8 @@ Split mode is very similar to disorder but without segment reordering :
4. 2nd segment
Mode 'split2' disables sending of fake segments. It can be used as a faster alternative to --wsize.
In disorder2 and split2 modes no fake packets are sent, so no fooling options are required.
There are DPIs that analyze responses from the server, particularly the certificate from the ServerHello
that contain domain name(s). The ClientHello delivery confirmation is an ACK packet from the server
with ACK sequence number corresponding to the length of the ClientHello+1.

2
docs/readme.txt
View File

@ -224,6 +224,8 @@ nfqws
Режим split2 отключает отправку поддельных частей.
Он может быть использован как более быстрая альтернатива --wsize.
disorder2 и split2 не предполагают отсылку фейк пакетов, поэтому опции дурения неактуальны.
Есть DPI, которые анализируют ответы от сервера, в частности сертификат из ServerHello, где прописаны домены.
Подтверждением доставки ClientHello является ACK пакет от сервера с номером ACK sequence, соответствующим длине ClientHello+1.
В варианте disorder обычно приходит сперва частичное подтверждение (SACK), потом полный ACK.