Truncated history

init.d/macos/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,18 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,18 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom.d.examples/50-extra-tpws

@@ -0,0 +1,30 @@
+# this script is an example describing how to run tpws on a custom port
+
+DNUM=100
+TPPORT_MY=${TPPORT_MY:-987}
+TPWS_OPT_MY=${TPWS_OPT_MY:-987}
+TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}"
+DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt="--user=root --port=$TPPORT_MY"
+	tpws_apply_binds opt
+	opt="$opt $TPWS_OPT_MY"
+	filter_apply_hostlist_target opt
+	filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY"
+	do_daemon $1 $DNUM "$TPWS" "$opt"
+}
+
+# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
+# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
+
+zapret_custom_firewall_v4()
+{
+	pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
+}
+zapret_custom_firewall_v6()
+{
+	pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
+}

init.d/macos/functions

@@ -0,0 +1,211 @@
+# init script functions library for macos
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/pf.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
+
+IPSET_DIR=$ZAPRET_BASE/ipset
+. "$IPSET_DIR/def.sh"
+
+PIDDIR=/var/run
+[ -n "$TPPORT" ] || TPPORT=988
+[ -n "$WS_USER" ] || WS_USER=daemon
+TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
+TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
+[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws"
+
+CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
+[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
+
+run_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid"
+	local ARGS="--daemon --pidfile=$PIDFILE $3"
+	[ -f "$PIDFILE" ] && pgrep -qF "$PIDFILE" && {
+		echo Already running $1: $2
+		return 0
+	}
+	echo "Starting daemon $1: $2 $ARGS"
+	"$2" $ARGS
+}
+stop_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+
+	local PID
+	local DAEMONBASE="$(basename "$2")"
+	local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid"
+	[ -f "$PIDFILE" ] && read PID <"$PIDFILE"
+	[ -n "$PID" ] && {
+		echo "Stopping daemon $1: $2 (PID=$PID)"
+		kill $PID
+		rm -f "$PIDFILE"
+	}
+	return 0
+}
+do_daemon()
+{
+	# $1 - 1 - run, 0 - stop
+	on_off_function run_daemon stop_daemon "$@"
+}
+
+tpws_apply_binds()
+{
+	local o
+	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
+	[ "$DISABLE_IPV6" = "1" ] || {
+		for i in lo0 $IFACE_LAN; do
+			o="$o --bind-iface6=$i --bind-linklocal=force $TPWS_WAIT"
+		done
+	}
+	eval $1="\"\$$1 $o\""
+}
+tpws_apply_socks_binds()
+{
+	local o
+
+	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
+	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
+	
+	for lan in $IFACE_LAN; do
+	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
+	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+	done
+	eval $1="\"\$$1 $o\""
+}
+
+wait_interface_ll()
+{
+	echo waiting for an ipv6 link local address on $1 ...
+	"$TPWS" --bind-wait-only --bind-iface6=$1 --bind-linklocal=force $TPWS_WAIT
+}
+wait_lan_ll()
+{
+	[ "$DISABLE_IPV6" != "1" ] && {
+		for lan in $IFACE_LAN; do
+			wait_interface_ll $lan >&2 || {
+				echo "wait interface failed on $lan"
+				return 1
+			}
+		done
+	}
+	return 0
+}
+get_ipv6_linklocal()
+{
+	ifconfig $1 | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
+}
+
+
+zapret_do_firewall()
+{
+	# $1 - 1 - add, 0 - del
+
+	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
+
+	case "${MODE_OVERRIDE:-$MODE}" in
+		tpws|filter|custom)
+			if [ "$1" = "1" ] ; then
+				pf_anchor_root || return 1
+				pf_anchors_create
+				pf_anchors_load || return 1
+				pf_enable
+			else
+				pf_anchors_clear
+			fi
+			;;
+	esac
+
+	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
+	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
+
+	return 0
+}
+zapret_apply_firewall()
+{
+	zapret_do_firewall 1 "$@"
+}
+zapret_unapply_firewall()
+{
+	zapret_do_firewall 0 "$@"
+}
+zapret_restart_firewall()
+{
+	zapret_unapply_firewall "$@"
+	zapret_apply_firewall "$@"
+}
+
+
+
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt
+
+	case "${MODE_OVERRIDE:-$MODE}" in
+		tpws)
+			[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
+				echo "both ipv4 and ipv6 are disabled. nothing to do"
+				return 0
+			}
+			# MacOS requires root. kernel hardcoded requirement for /dev/pf ioctls
+			opt="--user=root --port=$TPPORT"
+			tpws_apply_binds opt
+			opt="$opt $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			do_daemon $1 1 "$TPWS" "$opt"
+			;;
+		tpws-socks)
+			[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
+				echo "both ipv4 and ipv6 are disabled. nothing to do"
+				return 0
+			}
+			opt="--socks --user=$WS_USER --port=$TPPORT"
+			tpws_apply_socks_binds opt
+			opt="$opt $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			do_daemon $1 1 "$TPWS" "$opt"
+			;;
+		filter)
+			;;
+		custom)
+			custom_runner zapret_custom_daemons $1
+			;;
+		*)
+			echo "unsupported MODE=$MODE"
+			return 1
+			;;
+	esac
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}
+zapret_restart_daemons()
+{
+	zapret_stop_daemons "$@"
+	zapret_run_daemons "$@"
+}

init.d/macos/zapret

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+EXEDIR="$(dirname "$0")"
+ZAPRET_BASE="$EXEDIR/../.."
+ZAPRET_BASE="$(cd "$ZAPRET_BASE"; pwd)"
+
+. "$EXEDIR/functions"
+
+case "$1" in
+	start)
+		zapret_run_daemons
+		[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
+		;;
+	stop)
+		[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+		zapret_stop_daemons
+		;;
+	restart)
+		"$0" stop
+		"$0" start
+		;;
+
+	start-fw|start_fw)
+		zapret_apply_firewall
+		;;
+	stop-fw|stop_fw)
+		zapret_unapply_firewall
+		;;
+	restart-fw|stop_fw)
+		zapret_restart_firewall
+		;;
+	reload-fw-tables|reload_fw_tables)
+		pf_table_reload
+		;;
+	
+	start-daemons|start_daemons)
+		zapret_run_daemons
+		;;
+	stop-daemons|stop_daemons)
+		zapret_stop_daemons
+		;;
+	restart-daemons|restart_daemons)
+		zapret_restart_daemons
+		;;
+		
+  *)
+	N="$SCRIPT/$NAME"
+	echo "Usage: $N {start|stop|start-fw|stop-fw|restart-fw|reload-fw-tables|start-daemons|stop-daemons|restart-daemons}" >&2
+	exit 1
+	;;
+esac

init.d/macos/zapret.plist

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>zapret</string>
+    <key>LaunchOnlyOnce</key>
+    <false/>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/opt/zapret/init.d/macos/zapret</string>
+        <string>start</string>
+    </array>
+    <key>RunAtLoad</key>
+    <true/>
+</dict>
+</plist>

init.d/openrc/zapret

@@ -0,0 +1,69 @@
+#!/sbin/openrc-run
+
+# zapret openrc to sysv adapter
+# on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
+
+EXEDIR=$(dirname "$RC_SERVICE")
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE="$EXEDIR/../.."
+ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret"
+
+extra_commands="start_fw stop_fw restart_fw start_daemons stop_daemons restart_daemons reload_ifsets list_ifsets list_table"
+description="extra commands :"
+description_stop_fw="Stop zapret firewall"
+description_start_fw="Start zapret firewall"
+description_restart_fw="Restart zapret firewall"
+description_reload_ifsets="Reload interface lists (nftables only)"
+description_list_ifsets="Display interface lists (nftables only)"
+description_list_table="Display zapret nftable (nftables only)"
+description_stop_daemons="Stop zapret daemons only"
+description_start_daemons="Start zapret daemons only"
+description_restart_daemons="Restart zapret firewall only"
+
+depend() {
+	rc-service -e networking && need networking
+}
+start()
+{
+	"$ZAPRET_INIT" start
+}
+stop()
+{
+	"$ZAPRET_INIT" stop
+}
+start_fw()
+{
+	"$ZAPRET_INIT" start_fw
+}
+stop_fw()
+{
+	"$ZAPRET_INIT" stop_fw
+}
+restart_fw()
+{
+	"$ZAPRET_INIT" restart_fw
+}
+start_daemons()
+{
+	"$ZAPRET_INIT" start_daemons
+}
+stop_daemons()
+{
+	"$ZAPRET_INIT" stop_daemons
+}
+restart_daemons()
+{
+	"$ZAPRET_INIT" restart_daemons
+}
+reload_ifsets()
+{
+	"$ZAPRET_INIT" reload_ifsets
+}
+list_ifsets()
+{
+	"$ZAPRET_INIT" list_ifsets
+}
+list_table()
+{
+	"$ZAPRET_INIT" list_table
+}

init.d/openwrt/90-zapret

@@ -0,0 +1,63 @@
+#!/bin/sh
+
+ZAPRET=/etc/init.d/zapret
+
+check_lan()
+{
+	IS_LAN=
+	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
+	for lan in $OPENWRT_LAN; do
+		[ "$INTERFACE" = "$lan" ] && {
+			IS_LAN=1
+			break
+		}
+	done
+}
+check_need_to_reload_tpws6()
+{
+	# tpws6 dnat target nft map can only be reloaded within firewall apply procedure
+	# interface ifsets (wanif, wanif6, lanif) can be reloaded independently
+	check_lan
+	RELOAD_TPWS6=
+	[ "$ACTION" = "ifup" -a "$DISABLE_IPV6" != 1 -a -n "$IS_LAN" ] && [ "$MODE" = "tpws" -o "$MODE" = "custom" ] && RELOAD_TPWS6=1
+}
+
+
+[ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
+	SCRIPT=$(readlink "$ZAPRET")
+	if [ -n "$SCRIPT" ]; then
+		EXEDIR=$(dirname "$SCRIPT")
+		ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+	else
+		ZAPRET_BASE=/opt/zapret
+	fi
+	ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+	ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+	. "$ZAPRET_CONFIG"
+
+	check_need_to_reload_tpws6
+	[ -n "$RELOAD_TPWS6" ] && {
+		logger -t zapret restarting daemons due to $ACTION of $INTERFACE to update tpws6 dnat target
+		"$ZAPRET" restart_daemons
+	}
+	. "$ZAPRET_BASE/common/base.sh"
+	. "$ZAPRET_BASE/common/fwtype.sh"
+	linux_fwtype
+	case "$FWTYPE" in
+		nftables)
+			if [ -n "$RELOAD_TPWS6" ] ; then
+				logger -t zapret reloading nftables due to $ACTION of $INTERFACE to update tpws6 dnat target
+				"$ZAPRET" restart_fw
+			else
+				logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
+				"$ZAPRET" reload_ifsets
+			fi
+			;;
+		iptables)
+			openwrt_fw3 || {
+				logger -t zapret reloading iptables due to $ACTION of $INTERFACE
+				"$ZAPRET" restart_fw
+			}
+			;;
+	esac
+}

init.d/openwrt/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/50-dht4all

@@ -0,0 +1,39 @@
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
+
+DNUM=101
+QNUM2=$(($DNUM * 5))
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	run_daemon $DNUM $NFQWS "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+        local f uf4 uf6
+        local first_packet_only="$ipt_connbytes 1:1"
+        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+        f='-p udp -m length --length 109:407 -m u32 --u32'
+	uf4='0>>22&0x3C@8>>16=0x6431'
+	uf6='48>>16=0x6431'
+        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f
+        local first_packet_only="$nft_connbytes 1"
+        local desync="mark and $DESYNC_MARK == 0"
+
+        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
+        nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
+}
+

init.d/openwrt/custom.d.examples/50-quic4all

@@ -0,0 +1,37 @@
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
+# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
+
+DNUM=102
+QNUM2=$(($DNUM * 5))
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	run_daemon $DNUM $NFQWS "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
+	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	f="udp dport {$QUIC_PORTS}"
+	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+}

init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https

@@ -0,0 +1,71 @@
+# this custom script demonstrates how to apply tpws to http and nfqws to https
+# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt
+
+	[ "$MODE_HTTP" = "1" ] && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+		run_tpws 1 "$opt"
+	}
+
+	[ "$MODE_HTTPS" = "1" ] && {
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
+		filter_apply_hostlist_target opt
+		filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
+		run_daemon 2 $NFQWS "$opt"
+	}
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6
+	local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_tpws $1 "$f4" "$f6" $TPPORT
+	}
+	
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+	}
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f4 f6
+	local first_packet_only="$nft_connbytes 1-$(first_packets_for_mode)"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="tcp dport {$HTTP_PORTS}"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_tpws "$f4" "$f6" $TPPORT
+	}
+	
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+	}
+}

init.d/openwrt/firewall.zapret

@@ -0,0 +1,11 @@
+SCRIPT=$(readlink /etc/init.d/zapret)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+zapret_apply_firewall

init.d/openwrt/functions

@@ -0,0 +1,282 @@
+. /lib/functions/network.sh
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/queue.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
+
+[ -n "$QNUM" ] || QNUM=200
+[ -n "$TPPORT" ] || TPPORT=988
+[ -n "$WS_USER" ] || WS_USER=daemon
+[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
+[ -n "$DESYNC_MARK_POSTNAT" ] || DESYNC_MARK_POSTNAT=0x20000000
+[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
+
+TPWS_LOCALHOST4=127.0.0.127
+
+# max wait time for the link local ipv6 on the LAN interface
+LINKLOCAL_WAIT_SEC=5
+
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+IPSET_EXCLUDE="-m set ! --match-set nozapret"
+IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
+
+apply_unspecified_desync_modes
+
+
+# can be multiple ipv6 outgoing interfaces
+# uplink from isp, tunnelbroker, vpn, ...
+# want them all. who knows what's the real one that blocks sites
+# dont want any manual configuration - want to do it automatically
+# standard network_find_wan[6] return only the first
+# we use low level function from network.sh to avoid this limitation
+# it can change theoretically and stop working
+
+network_find_wan4_all()
+{
+	if [ -n "$OPENWRT_WAN4" ]; then
+		eval $1="\$OPENWRT_WAN4"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan $1
+	fi
+}
+network_find_wan_all()
+{
+	network_find_wan4_all "$@"
+}
+network_find_wan6_all()
+{
+	if [ -n "$OPENWRT_WAN6" ]; then
+		eval $1="\$OPENWRT_WAN6"
+	else
+		__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
+		network_find_wan6 $1
+	fi
+}
+network_find_wanX_devices()
+{
+	# $1 - ip version: 4 or 6
+	# $2 - variable to put result to
+	local ifaces
+	network_find_wan${1}_all ifaces
+	call_for_multiple_items network_get_device $2 "$ifaces"
+}
+
+
+dnat6_target()
+{
+	# $1 - lan network name
+	# $2 - var to store target ip6
+
+	network_is_up $1 || {
+		[ -n "$2" ] && eval $2=''
+		return
+	}
+
+	local DEVICE
+	network_get_device DEVICE $1
+
+	_dnat6_target $DEVICE $2
+}
+
+set_route_localnet()
+{
+	# $1 - 1 = enable, 0 = disable
+
+	local DLAN
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+	_set_route_localnet $1 $DLAN
+}
+
+
+fw_nfqws_prepost_x()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - filter
+	# $3 - queue number
+	# $4 - 4/6
+	# $5 - post/pre
+
+	local ifaces DWAN
+	network_find_wan${4}_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+
+	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
+}
+fw_nfqws_post4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 post
+}
+fw_nfqws_post6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 post
+}
+fw_nfqws_pre4()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 4 pre
+}
+fw_nfqws_pre6()
+{
+	fw_nfqws_prepost_x  $1 "$2" $3 6 pre
+}
+fw_tpws_x()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - filter
+	# $3 - tpws port
+	# $4 - ip version : 4 or 6
+
+	local ifaces DLAN DWAN
+
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+
+	network_find_wan${4}_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+
+	[ -n "$DWAN" ] && _fw_tpws${4} $1 "$2" $3 "$DLAN" "$(unique $DWAN)"
+}
+fw_tpws4()
+{
+	fw_tpws_x $1 "$2" $3 4
+}
+fw_tpws6()
+{
+	fw_tpws_x $1 "$2" $3 6
+}
+
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}
+
+list_nfqws_rules()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	ip$1tables -S POSTROUTING -t mangle | \
+		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
+		sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
+}
+apply_flow_offloading_enable_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i off='-j FLOWOFFLOAD'
+	[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
+	i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
+	echo enabling ipv${1:-4} flow offloading : $i
+	ip$1tables -A $i
+}
+apply_flow_offloading_exempt_rule()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local i v
+	v=$1
+	shift
+	i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
+	echo applying ipv${v:-4} flow offloading exemption : $i
+	ip${v}tables -A $i
+}
+flow_offloading_unexempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	local DWAN
+	network_find_wanX_devices ${1:-4} DWAN
+	for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
+	ip$1tables -F forwarding_rule_zapret 2>/dev/null
+	ip$1tables -X forwarding_rule_zapret 2>/dev/null
+}
+flow_offloading_exempt_v()
+{
+	# $1 = '' for ipv4, '6' for ipv6
+	is_ipt_flow_offload_avail $1 || return 0
+
+	flow_offloading_unexempt_v $1
+
+	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
+		ip$1tables -N forwarding_rule_zapret
+
+		# remove outgoing interface
+		list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
+		while read rule; do
+			apply_flow_offloading_exempt_rule "$1" $rule
+		done
+	
+		apply_flow_offloading_enable_rule $1
+
+		# only outgoing to WAN packets trigger flow offloading
+		local DWAN
+		network_find_wanX_devices ${1:-4} DWAN
+		for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
+	}
+	return 0
+}
+flow_offloading_exempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
+}
+flow_offloading_unexempt()
+{
+	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
+	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
+}
+
+
+
+nft_fill_ifsets_overload()
+{
+	local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
+
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+	call_for_multiple_items network_get_physdev PDLAN "$OPENWRT_LAN"
+
+	network_find_wan4_all ifaces
+	call_for_multiple_items network_get_device DWAN "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN "$ifaces"
+
+	network_find_wan6_all ifaces
+	call_for_multiple_items network_get_device DWAN6 "$ifaces"
+	call_for_multiple_items network_get_physdev PDWAN6 "$ifaces"
+
+	nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
+}
+
+nft_fw_tpws4()
+{
+	_nft_fw_tpws4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_tpws6()
+{
+	local DLAN
+	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
+	_nft_fw_tpws6 "$1" $2 "$DLAN" always_apply_wan_filter
+}
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
+}

init.d/openwrt/zapret

@@ -0,0 +1,240 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+# after network
+START=21
+
+my_extra_command() {
+	local cmd="$1"
+	local help="$2"
+
+	local extra="$(printf "%-16s%s" "${cmd}" "${help}")"
+	EXTRA_HELP="${EXTRA_HELP}	${extra}
+"
+	EXTRA_COMMANDS="${EXTRA_COMMANDS} ${cmd}"
+}
+my_extra_command stop_fw "Stop zapret firewall (noop in iptables+fw3 case)"
+my_extra_command start_fw "Start zapret firewall (noop in iptables+fw3 case)"
+my_extra_command restart_fw "Restart zapret firewall (noop in iptables+fw3 case)"
+my_extra_command reload_ifsets "Reload interface lists (nftables only)"
+my_extra_command list_ifsets "Display interface lists (nftables only)"
+my_extra_command list_table "Display zapret nftable (nftables only)"
+my_extra_command stop_daemons "Stop zapret daemons only (=stop in iptables+fw3 case)"
+my_extra_command start_daemons "Start zapret daemons only (=start in iptables+fw3 case)"
+my_extra_command restart_daemons "Restart zapret firewall only (=restart in iptables+fw3 case)"
+
+SCRIPT=$(readlink /etc/init.d/zapret)
+if [ -n "$SCRIPT" ]; then
+ EXEDIR=$(dirname "$SCRIPT")
+ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+ ZAPRET_BASE=/opt/zapret
+fi
+
+. "$ZAPRET_BASE/init.d/openwrt/functions"
+
+
+# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
+# !!!!! in new openwrt >21.x with nftables firewall is configured here
+
+PIDDIR=/var/run
+
+[ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws"
+NFQWS_OPT_BASE="--user=$WS_USER --dpi-desync-fwmark=$DESYNC_MARK"
+
+[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws"
+TPWS_OPT_BASE="--user=$WS_USER"
+TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
+TPWS_OPT_BASE6="--bind-addr=::1"
+TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
+TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
+TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
+
+run_daemon()
+{
+	# $1 - daemon string id or number. can use 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	echo "Starting daemon $1: $2 $3"
+	procd_open_instance
+	procd_set_param command $2 $3
+	procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid
+	procd_close_instance
+}
+
+run_tpws()
+{
+	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
+
+	local OPT="$TPWS_OPT_BASE"
+	local DEVICE
+
+	[ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4"
+	[ "$DISABLE_IPV6" = "1" ] || {
+		OPT="$OPT $TPWS_OPT_BASE6"
+		for lan in $OPENWRT_LAN; do
+		    network_get_device DEVICE $lan
+		    [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
+		done
+	}
+	run_daemon $1 "$TPWS" "$OPT $2"
+}
+run_tpws_socks()
+{
+	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
+
+	local opt="$TPWS_OPT_BASE --socks"
+
+	tpws_apply_socks_binds opt
+	run_daemon $1 "$TPWS" "$opt $2"
+}
+
+stop_tpws()
+{
+	stop_daemon $1 "$TPWS"
+}
+
+
+tpws_apply_socks_binds()
+{
+	local o
+
+	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
+	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
+	
+	for lan in $OPENWRT_LAN; do
+	    network_get_device DEVICE $lan
+	    [ -n "$DEVICE" ] || continue
+	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
+	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+	done
+	eval $1="\"\$$1 $o\""
+}
+
+
+start_daemons_procd()
+{
+	local opt qn qns qn6 qns6
+
+	case "${MODE_OVERRIDE:-$MODE}" in
+		tpws)
+			opt="--port=$TPPORT $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			run_tpws 1 "$opt"
+			;;
+		tpws-socks)
+			opt="--port=$TPPORT $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			run_tpws_socks 1 "$opt"
+			;;
+		nfqws)
+			# quite complex but we need to minimize nfqws processes to save RAM
+			get_nfqws_qnums qn qns qn6 qns6
+			[ -z "$qn" ] || {
+				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTP_SUFFIX"
+				run_daemon 1 "$NFQWS" "$opt"
+			}
+			[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
+				opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
+				run_daemon 2 "$NFQWS" "$opt"
+			}
+			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
+				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTP6_SUFFIX"
+				run_daemon 3 "$NFQWS" "$opt"
+			}
+			[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
+				opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS6_SUFFIX"
+				run_daemon 4 "$NFQWS" "$opt"
+			}
+			get_nfqws_qnums_quic qn qn6
+			[ -z "$qn" ] || {
+				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_QUIC_SUFFIX"
+				run_daemon 10 "$NFQWS" "$opt"
+			}
+			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
+				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_QUIC6_SUFFIX"
+				run_daemon 11 "$NFQWS" "$opt"
+			}
+			;;
+		custom)
+	    		custom_runner zapret_custom_daemons $1
+			;;
+	esac
+
+	return 0
+}
+start_daemons()
+{
+	rc_procd start_daemons_procd "$@"
+}
+stop_daemons()
+{
+	local svc="$(basename ${basescript:-$initscript})"
+	procd_running "$svc" "$1" && procd_kill "$svc" "$1"
+}
+restart_daemons()
+{
+	stop_daemons
+	start_daemons
+}
+
+start_fw()
+{
+	zapret_apply_firewall
+}
+stop_fw()
+{
+	zapret_unapply_firewall
+}
+restart_fw()
+{
+	stop_fw
+	start_fw
+}
+reload_ifsets()
+{
+	zapret_reload_ifsets
+}
+list_ifsets()
+{
+	zapret_list_ifsets
+}
+list_table()
+{
+	zapret_list_table
+}
+
+start_service()
+{
+	start_daemons_procd
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || start_fw
+	}
+}
+
+stop_service()
+{
+	# this procedure is called from stop()
+	# stop() already stop daemons
+	[ "$INIT_APPLY_FW" != "1" ] || {
+		linux_fwtype
+		openwrt_fw3_integration || stop_fw
+	}
+}

init.d/pfsense/zapret.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# this file should be placed to /usr/local/etc/rc.d and chmod 755
+
+# prepare system
+
+kldload ipfw
+kldload ipdivert
+
+# for older pfsense versions. newer do not have these sysctls
+sysctl net.inet.ip.pfil.outbound=ipfw,pf
+sysctl net.inet.ip.pfil.inbound=ipfw,pf
+sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
+sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
+
+# required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
+pfctl -d ; pfctl -e
+
+# add ipfw rules and start daemon
+
+ipfw delete 100
+ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
+pkill ^dvtws$
+dvtws --daemon --port 989 --dpi-desync=split2

init.d/runit/zapret/finish

@@ -0,0 +1,2 @@
+#!/bin/sh
+/opt/zapret/init.d/sysv/zapret stop

init.d/runit/zapret/run

@@ -0,0 +1,3 @@
+#!/bin/sh
+/opt/zapret/init.d/sysv/zapret start
+exec chpst -b zapret sleep infinity

init.d/s6/zapret/down

@@ -0,0 +1,2 @@
+#!/bin/execlineb -P
+exec /opt/zapret/init.d/sysv/zapret stop

init.d/s6/zapret/type

@@ -0,0 +1 @@
+oneshot

init.d/s6/zapret/up

@@ -0,0 +1,2 @@
+#!/bin/execlineb -P
+exec /opt/zapret/init.d/sysv/zapret start

init.d/systemd/zapret-list-update.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=zapret ip/host list update
+
+[Service]
+Restart=no
+IgnoreSIGPIPE=no
+KillMode=control-group
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret/ipset/get_config.sh
+
+[Install]
+WantedBy=multi-user.target

init.d/systemd/zapret-list-update.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=zapret ip/host list update timer
+
+[Timer]
+OnCalendar=*-*-2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 00:00:00
+RandomizedDelaySec=86400
+Persistent=true
+Unit=zapret-list-update.service
+
+[Install]
+WantedBy=timers.target

init.d/systemd/zapret.service

@@ -0,0 +1,17 @@
+[Unit]
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+Restart=no
+TimeoutSec=30sec
+IgnoreSIGPIPE=no
+KillMode=none
+GuessMainPID=no
+RemainAfterExit=no
+ExecStart=/opt/zapret/init.d/sysv/zapret start
+ExecStop=/opt/zapret/init.d/sysv/zapret stop
+
+[Install]
+WantedBy=multi-user.target

init.d/sysv/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/50-dht4all

@@ -0,0 +1,39 @@
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
+
+DNUM=101
+QNUM2=$(($DNUM * 5))
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 $DNUM "$opt"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+        local f uf4 uf6
+        local first_packet_only="$ipt_connbytes 1:1"
+        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+        f='-p udp -m length --length 109:407 -m u32 --u32'
+	uf4='0>>22&0x3C@8>>16=0x6431'
+	uf6='48>>16=0x6431'
+        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f
+        local first_packet_only="$nft_connbytes 1"
+        local desync="mark and $DESYNC_MARK == 0"
+
+        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
+        nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
+}
+

init.d/sysv/custom.d.examples/50-quic4all

@@ -0,0 +1,37 @@
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
+# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
+
+DNUM=102
+QNUM2=$(($DNUM * 5))
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 $DNUM "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
+	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	f="udp dport {$QUIC_PORTS}"
+	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+}

init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https

@@ -0,0 +1,71 @@
+# this custom script demonstrates how to apply tpws to http and nfqws to https
+# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt
+
+	[ "$MODE_HTTP" = "1" ] && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+		do_tpws $1 1 "$opt"
+	}
+
+	[ "$MODE_HTTPS" = "1" ] && {
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
+		filter_apply_hostlist_target opt
+		filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
+		do_nfqws $1 2 "$opt"
+	}
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6
+	local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_tpws $1 "$f4" "$f6" $TPPORT
+	}
+	
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+	}
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f4 f6
+	local first_packet_only="$nft_connbytes 1-$(first_packets_for_mode)"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="tcp dport {$HTTP_PORTS}"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_tpws "$f4" "$f6" $TPPORT
+	}
+	
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+	}
+}

init.d/sysv/functions

@@ -0,0 +1,357 @@
+# init script functions library for desktop linux systems
+
+ZAPRET_BASE=${ZAPRET_BASE:-/opt/zapret}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/queue.sh"
+. "$ZAPRET_BASE/common/linux_iphelper.sh"
+. "$ZAPRET_BASE/common/ipt.sh"
+. "$ZAPRET_BASE/common/nft.sh"
+. "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
+
+user_exists()
+{
+	id -u $1 >/dev/null 2>/dev/null
+}
+useradd_compat()
+{
+	# $1 - username
+	# skip for readonly systems
+	[ -w "/etc" ] && {
+		if exists useradd ; then
+			useradd --no-create-home --system --shell /bin/false $1
+		elif is_linked_to_busybox adduser ; then
+			# some systems may miss nogroup group in /etc/group
+			# adduser fails if it's absent and no group is specified
+			addgroup nogroup 2>/dev/null
+			# busybox has special adduser syntax
+			adduser -S -H -D $1
+		elif exists adduser; then
+			adduser --no-create-home --system --disabled-login $1
+		fi
+	}
+	user_exists $1
+}
+prepare_user()
+{
+	# $WS_USER is required to prevent redirection of the traffic originating from TPWS itself
+	# otherwise infinite loop will occur
+	# also its good idea not to run tpws as root
+	user_exists $WS_USER || {
+		# fallback to daemon if we cant add WS_USER
+		useradd_compat $WS_USER || {
+			for user in daemon nobody; do
+				user_exists $user && {
+					WS_USER=$user
+					return 0
+				}
+			done
+			return 1
+		}
+	}
+}
+
+# this complex user selection allows to survive in any locked/readonly/minimalistic environment
+[ -n "$WS_USER" ] || WS_USER=tpws
+if prepare_user; then
+ USEROPT="--user=$WS_USER"
+else
+ WS_USER=1
+ USEROPT="--uid $WS_USER:$WS_USER"
+fi
+
+PIDDIR=/var/run
+IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
+
+[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
+[ -n "$DESYNC_MARK_POSTNAT" ] || DESYNC_MARK_POSTNAT=0x20000000
+
+[ -n "$QNUM" ] || QNUM=200
+[ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws"
+NFQWS_OPT_BASE="$USEROPT --dpi-desync-fwmark=$DESYNC_MARK"
+apply_unspecified_desync_modes
+
+[ -n "$TPPORT" ] || TPPORT=988
+[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws"
+TPWS_LOCALHOST4=127.0.0.127
+
+TPWS_OPT_BASE="$USEROPT"
+TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
+TPWS_OPT_BASE6="--bind-addr=::1"
+TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
+TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
+# first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
+TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
+
+# max wait time for the link local ipv6 on the LAN interface
+LINKLOCAL_WAIT_SEC=5
+
+IPSET_EXCLUDE="-m set ! --match-set nozapret"
+IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
+
+
+dnat6_target()
+{
+	_dnat6_target "$@"
+}
+set_route_localnet()
+{
+	_set_route_localnet $1 "$IFACE_LAN"
+}
+
+fw_nfqws_post4()
+{
+	_fw_nfqws_post4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_post6()
+{
+	_fw_nfqws_post6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+fw_nfqws_pre4()
+{
+	_fw_nfqws_pre4  $1 "$2" $3 "$IFACE_WAN"
+}
+fw_nfqws_pre6()
+{
+	_fw_nfqws_pre6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+fw_tpws4()
+{
+	_fw_tpws4 $1 "$2" $3 "$IFACE_LAN" "$IFACE_WAN"
+}
+fw_tpws6()
+{
+	_fw_tpws6 $1 "$2" $3 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_tpws4()
+{
+	_nft_fw_tpws4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_tpws6()
+{
+	_nft_fw_tpws6 "$1" $2 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_post4()
+{
+	_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_post6()
+{
+	_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fw_nfqws_pre4()
+{
+	_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
+}
+nft_fw_nfqws_pre6()
+{
+	_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
+}
+nft_fill_ifsets_overload()
+{
+	nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}"
+}
+
+
+run_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# $3 - daemon args
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+
+	local DAEMONBASE="$(basename "$2")"
+	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
+	echo "Starting daemon $1: $2 $3"
+	if exists start-stop-daemon ; then
+		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
+	else
+		if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
+			echo already running
+		else
+			"$2" $3 >/dev/null 2>/dev/null &
+			PID=$!
+			if [ -n "$PID" ]; then
+				echo $PID >$PIDFILE
+			else
+				echo could not start daemon $1 : $2 $3
+				false
+			fi
+		fi
+	fi
+}
+stop_daemon()
+{
+	# $1 - daemon number : 1,2,3,...
+	# $2 - daemon
+	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
+	local DAEMONBASE="$(basename "$2")"
+	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
+	echo "Stopping daemon $1: $2"
+	if exists start-stop-daemon ; then
+		start-stop-daemon -K -p "$PIDFILE" -x "$2"
+	else
+		if [ -f "$PIDFILE" ]; then
+			read PID <"$PIDFILE"
+			kill $PID
+			rm -f "$PIDFILE"
+		else
+			echo no pidfile : $PIDFILE
+		fi
+	fi
+}
+do_daemon()
+{
+	# $1 - 1 - run, 0 - stop
+	on_off_function run_daemon stop_daemon "$@"
+}
+
+
+do_tpws()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
+
+	local OPT="$TPWS_OPT_BASE"
+
+	[ "$DISABLE_IPV4" = "1" ] || OPT="$OPT $TPWS_OPT_BASE4"
+	[ "$DISABLE_IPV6" = "1" ] || {
+		OPT="$OPT $TPWS_OPT_BASE6"
+		for lan in $IFACE_LAN; do
+			OPT="$OPT --bind-iface6=$lan $TPWS_OPT_BASE6_PRE"
+		done
+	}
+
+	do_daemon $1 $2 "$TPWS" "$OPT $3"
+}
+do_tpws_socks()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
+
+	local opt="$TPWS_OPT_BASE --socks"
+
+	tpws_apply_socks_binds opt
+
+	do_daemon $1 $2 "$TPWS" "$opt $3"
+}
+
+do_nfqws()
+{
+	# $1 : 1 - run, 0 - stop
+	# $2 : daemon number
+	# $3 : daemon args
+
+	do_daemon $1 $2 "$NFQWS" "$NFQWS_OPT_BASE $3"
+}
+
+tpws_apply_socks_binds()
+{
+	local o
+
+	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
+	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
+	
+	for lan in $IFACE_LAN; do
+	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
+	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+	done
+	eval $1="\"\$$1 $o\""
+}
+
+
+create_ipset()
+{
+	echo "Creating ip list table (firewall type $FWTYPE)"
+	"$IPSET_CR" "$@"
+}
+
+
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt qn qns qn6 qns6
+
+	case "${MODE_OVERRIDE:-$MODE}" in
+		tpws)
+			opt="--port=$TPPORT $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			do_tpws $1 1 "$opt"
+			;;
+		tpws-socks)
+			opt="--port=$TPPORT $TPWS_OPT"
+			filter_apply_hostlist_target opt
+			filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
+			do_tpws_socks $1 1 "$opt"
+			;;
+		nfqws)
+			get_nfqws_qnums qn qns qn6 qns6
+			[ -z "$qn" ] || {
+				opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTP_SUFFIX"
+				do_nfqws $1 1 "$opt"
+			}
+			[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
+				opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
+				do_nfqws $1 2 "$opt"
+			}
+			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
+				opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTP6_SUFFIX"
+				do_nfqws $1 3 "$opt"
+			}
+			[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
+				opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS6_SUFFIX"
+				do_nfqws $1 4 "$opt"
+			}
+			get_nfqws_qnums_quic qn qn6
+			[ -z "$qn" ] || {
+				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_QUIC_SUFFIX"
+				do_nfqws $1 10 "$opt"
+			}
+			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
+				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
+				filter_apply_hostlist_target opt
+				filter_apply_suffix opt "$NFQWS_OPT_DESYNC_QUIC6_SUFFIX"
+				do_nfqws $1 11 "$opt"
+			}
+			;;
+		custom)
+			custom_runner zapret_custom_daemons $1
+			;;
+	esac
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}
+

init.d/sysv/zapret

@@ -0,0 +1,83 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:		zapret
+# Required-Start:	$local_fs $network
+# Required-Stop:	$local_fs $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+### END INIT INFO
+
+SCRIPT=$(readlink -f "$0")
+EXEDIR=$(dirname "$SCRIPT")
+ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+. "$EXEDIR/functions"
+
+NAME=zapret
+DESC=anti-zapret
+
+do_start()
+{
+	zapret_run_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
+}
+do_stop()
+{
+	zapret_stop_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+}
+
+case "$1" in
+	start)
+		do_start
+		;;
+
+	stop)
+		do_stop
+		;;
+
+	restart)
+		do_stop
+		do_start
+		;;
+
+	start-fw|start_fw)
+		zapret_apply_firewall
+		;;
+	stop-fw|stop_fw)
+		zapret_unapply_firewall
+		;;
+
+	restart-fw|restart_fw)
+		zapret_unapply_firewall
+		zapret_apply_firewall
+		;;
+	
+	start-daemons|start_daemons)
+		zapret_run_daemons
+		;;
+	stop-daemons|stop_daemons)
+		zapret_stop_daemons
+		;;
+	restart-daemons|restart_daemons)
+		zapret_stop_daemons
+		zapret_run_daemons
+		;;
+
+	reload-ifsets|reload_ifsets)	
+		zapret_reload_ifsets
+		;;
+	list-ifsets|list_ifsets)	
+		zapret_list_ifsets
+		;;
+	list-table|list_table)	
+		zapret_list_table
+		;;
+		
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
+	exit 1
+	;;
+esac
+
+exit 0