init script http+https

2025-04-19 21:42:59 +03:00 · 2019-05-05 23:35:10 +03:00 · 2019-05-05 23:35:10 +03:00 · 2acd50e130
commit 2acd50e130
parent f59feffd8c
9 changed files with 189 additions and 44 deletions
--- a/init.d/openwrt/firewall.user.nfqws_all_https
+++ b/init.d/openwrt/firewall.user.nfqws_all_https
@ -0,0 +1,9 @@
 QNUM=200
 IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443"
 IPT_FILTER_POST="-p tcp --dport 80"
 iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
 iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
 iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
 iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
--- a/init.d/openwrt/firewall.user.nfqws_ipset_https
+++ b/init.d/openwrt/firewall.user.nfqws_ipset_https
@ -0,0 +1,9 @@
 QNUM=200
 IPT_FILTER_PRE="-p tcp -m multiport --sports 80,443 -m set --match-set zapret src"
 IPT_FILTER_POST="-p tcp --dport 80 -m set --match-set zapret dst"
 iptables -t raw -C PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass ||
 iptables -t raw -I PREROUTING $IPT_FILTER_PRE -j NFQUEUE --queue-num $QNUM --queue-bypass
 iptables -t mangle -C POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass ||
 iptables -t mangle -I POSTROUTING $IPT_FILTER_POST -j NFQUEUE --queue-num $QNUM --queue-bypass
--- a/init.d/openwrt/firewall.user.tpws_all
+++ b/init.d/openwrt/firewall.user.tpws_all
@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
 TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80"
+IPT_FILTER_HTTP="-p tcp --dport 80"
 . /lib/functions/network.sh
@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic
-    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
-     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
 done
 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
--- a/init.d/openwrt/firewall.user.tpws_all_https
+++ b/init.d/openwrt/firewall.user.tpws_all_https
@ -0,0 +1,27 @@
 TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS_USER=daemon
 IPT_FILTER_HTTP="-p tcp --dport 80"
 IPT_FILTER_HTTPS="-p tcp --dport 443"
 . /lib/functions/network.sh
 network_find_wan wan_iface
 for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic
    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
 done
 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
 iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
 iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
 iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
 iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
--- a/init.d/openwrt/firewall.user.tpws_ipset
+++ b/init.d/openwrt/firewall.user.tpws_ipset
@ -1,6 +1,6 @@
-TPPORT=1188
+TPPORT_HTTP=1188
 TPWS_USER=daemon
-IPT_FILTER="-p tcp --dport 80 -m set --match-set zapret dst"
+IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
 . /lib/functions/network.sh
@ -10,12 +10,12 @@ for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic
-    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
+    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
-     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
 done
 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
-iptables -t nat -C prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT ||
+iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
- iptables -t nat -I prerouting_lan_rule $IPT_FILTER -j DNAT --to 127.0.0.1:$TPPORT
+ iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
--- a/init.d/openwrt/firewall.user.tpws_ipset_https
+++ b/init.d/openwrt/firewall.user.tpws_ipset_https
@ -0,0 +1,27 @@
 TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS_USER=daemon
 IPT_FILTER_HTTP="-p tcp --dport 80 -m set --match-set zapret dst"
 IPT_FILTER_HTTPS="-p tcp --dport 443 -m set --match-set zapret dst"
 . /lib/functions/network.sh
 network_find_wan wan_iface
 for ext_iface in $wan_iface; do
    network_get_device DEVICE $ext_iface
    # DNAT for local traffic
    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
    iptables -t nat -C OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
     iptables -t nat -I OUTPUT -o $DEVICE -m owner ! --uid-owner $TPWS_USER $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
 done
 network_get_device DEVICE lan
 sysctl -w net.ipv4.conf.$DEVICE.route_localnet=1
 iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP ||
 iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTP -j DNAT --to 127.0.0.1:$TPPORT_HTTP
 iptables -t nat -C prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS ||
 iptables -t nat -I prerouting_lan_rule $IPT_FILTER_HTTPS -j DNAT --to 127.0.0.1:$TPPORT_HTTPS
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -13,19 +13,24 @@ START=18
 # using nfqws with ipset
 #MODE=nfqws_ipset
 #MODE=nfqws_ipset_https
 # using nfqws for all
 #MODE=nfqws_all
 #MODE=nfqws_all_https
 # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
 NFQWS_OPT="--wsize=3 --hostspell=HOST"
 # using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
 MODE=tpws_ipset_https
 # using tpws for all
 #MODE=tpws_all
 #MODE=tpws_all_https
 # using tpws with hostlist
 #MODE=tpws_hostlist
 # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
 TPWS_OPT_HTTPS="--split-pos=3"
 # only fill ipset, do not run daemons
 #MODE=ipset
@ -47,11 +52,14 @@ QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
 NFQWS_OPT_BASE="--qnum=$QNUM"
-TPPORT=1188
+TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS=$ZAPRET_BASE/tpws/tpws
 TPWS_USER=daemon
 TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
 TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
 TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
 # must execute /etc/firewall.user on every firewall reload
@ -99,20 +107,22 @@ start_service() {
 	case "${MODE}" in
 	    tpws_hostlist)
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
 		;;
-	    tpws_ipset)
+	    tpws_ipset|tpws_all)
 		create_ipset
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		;;
-	    tpws_all)
+	    tpws_ipset_https|tpws_all_https)
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		create_ipset
 		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
-	    nfqws_ipset)
+	    nfqws_ipset|nfqws_ipset_https)
 		create_ipset
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
-	    nfqws_all)
+	    nfqws_all|nfqws_all_https)
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    ipset)
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -18,19 +18,24 @@
 # using nfqws with ipset
 #MODE=nfqws_ipset
 #MODE=nfqws_ipset_https
 # using nfqws for all
 #MODE=nfqws_all
 #MODE=nfqws_all_https
 # CHOOSE NFQWS DAEMON OPTIONS. run "nfq/nfqws --help" for option list
 NFQWS_OPT="--wsize=3 --hostspell=HOST"
 # using tpws with ipset
-MODE=tpws_ipset
+#MODE=tpws_ipset
 MODE=tpws_ipset_https
 # using tpws for all
 #MODE=tpws_all
 #MODE=tpws_all_https
 # using tpws with hostlist
 #MODE=tpws_hostlist
 # CHOOSE TPWS DAEMON OPTIONS. run "tpws/tpws --help" for option list
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
 TPWS_OPT_HTTPS="--split-pos=3"
 # only fill ipset, do not run daemons
 #MODE=ipset
@ -58,11 +63,14 @@ QNUM=200
 NFQWS=$ZAPRET_BASE/nfq/nfqws
 NFQWS_OPT_BASE="--qnum=$QNUM"
-TPPORT=1188
+TPPORT_HTTP=1188
 TPPORT_HTTPS=1189
 TPWS=$ZAPRET_BASE/tpws/tpws
 TPWS_USER=tpws
 TPWS_HOSTLIST=$ZAPRET_BASE/ipset/zapret-hosts.txt
-TPWS_OPT_BASE="--port=$TPPORT --user=$TPWS_USER --bind-addr=127.0.0.1"
+TPWS_OPT_BASE="--user=$TPWS_USER --bind-addr=127.0.0.1"
 TPWS_OPT_BASE_HTTP="--port=$TPPORT_HTTP $TPWS_OPT_BASE"
 TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS $TPWS_OPT_BASE"
 # exit script on any error
 set -e
@ -75,25 +83,27 @@ exists()
 fw_tpws_add()
 {
 	# $1 - iptable filter
 	# $2 - tpws port
 	echo "Adding iptables rule for tpws : $1"
 	[ -n "$SLAVE_ETH" ] && {
-		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
+		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
-		 iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+		 iptables -t nat -I PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	}
-	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null ||
+	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null ||
-	 iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+	 iptables -t nat -I OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
 }
 fw_tpws_del()
 {
 	# $1 - iptable filter
 	# $2 - tpws port
 	echo "Deleting iptables rule for tpws : $1"
 	[ -n "$SLAVE_ETH" ] && {
-		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
+		iptables -t nat -C PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
-		 iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+		 iptables -t nat -D PREROUTING -i $SLAVE_ETH -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	}
-	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT 2>/dev/null &&
+	iptables -t nat -C OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2 2>/dev/null &&
-	 iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$TPPORT
+	 iptables -t nat -D OUTPUT -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$2
 	true
 }
 fw_nfqws_add_pre()
@ -199,19 +209,34 @@ case "$1" in
 	case "${MODE}" in
 	    tpws_hostlist)
 	    	prepare_tpws
-		fw_tpws_add "--dport 80"
+		fw_tpws_add "--dport 80" $TPPORT_HTTP
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT --hostlist=$TPWS_HOSTLIST"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP --hostlist=$TPWS_HOSTLIST"
 		;;
 	    tpws_ipset)
 		create_ipset
 	    	prepare_tpws
-		fw_tpws_add "--dport 80 -m set --match-set zapret dst"
+		fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		;;
 	    tpws_ipset_https)
 		create_ipset
 	    	prepare_tpws
 		fw_tpws_add "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
 		fw_tpws_add "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
 		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
 	    tpws_all)
 	    	prepare_tpws
-		fw_tpws_add "--dport 80"
+		fw_tpws_add "--dport 80" $TPPORT_HTTP
-		run_daemon 1 $TPWS "$TPWS_OPT_BASE $TPWS_OPT"
+		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		;;
 	    tpws_all_https)
 	    	prepare_tpws
 		fw_tpws_add "--dport 80" $TPPORT_HTTP
 		fw_tpws_add "--dport 443" $TPPORT_HTTPS
 		run_daemon 1 $TPWS "$TPWS_OPT_BASE_HTTP $TPWS_OPT_HTTP"
 		run_daemon 2 $TPWS "$TPWS_OPT_BASE_HTTPS $TPWS_OPT_HTTPS"
 		;;
 	    nfqws_ipset)
 		create_ipset
@ -219,11 +244,22 @@ case "$1" in
 		fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    nfqws_ipset_https)
 		create_ipset
 		fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
 		fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    nfqws_all)
 		fw_nfqws_add_pre "--sport 80"
 		fw_nfqws_add_post "--dport 80"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    nfqws_all_https)
 		fw_nfqws_add_pre "-m multiport --sports 80,443"
 		fw_nfqws_add_post "--dport 80"
 		run_daemon 1 $NFQWS "$NFQWS_OPT_BASE $NFQWS_OPT"
 		;;
 	    ipset)
 		create_ipset
 		;;
@ -241,23 +277,45 @@ case "$1" in
  stop)
 	case "${MODE}" in
 	    tpws_hostlist|tpws_all)
-		fw_tpws_del "--dport 80"
+		fw_tpws_del "--dport 80" $TPPORT_HTTP
 		stop_daemon 1 $TPWS
 		;;
 	    tpws_ipset)
-		fw_tpws_del "--dport 80 -m set --match-set zapret dst"
+		fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
 		stop_daemon 1 $TPWS
 		;;
 	    tpws_ipset_https)
 		fw_tpws_del "--dport 80 -m set --match-set zapret dst" $TPPORT_HTTP
 		fw_tpws_del "--dport 443 -m set --match-set zapret dst" $TPPORT_HTTPS
 		stop_daemon 1 $TPWS
 		stop_daemon 2 $TPWS
 		;;
 	    tpws_all_https)
 		fw_tpws_del "--dport 80" $TPPORT_HTTP
 		fw_tpws_del "--dport 443" $TPPORT_HTTPS
 		stop_daemon 1 $TPWS
 		stop_daemon 2 $TPWS
 		;;
 	    nfqws_ipset)
 		fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src"
 		fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
 		stop_daemon 1 $NFQWS
 		;;
 	    nfqws_ipset_https)
 		fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src"
 		fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst"
 		stop_daemon 1 $NFQWS
 		;;
 	    nfqws_all)
 		fw_nfqws_del_pre "--sport 80"
 		fw_nfqws_del_post "--dport 80"
 		stop_daemon 1 $NFQWS
 		;;
 	    nfqws_all_https)
 		fw_nfqws_del_pre "-m multiport --sports 80,443"
 		fw_nfqws_del_post "--dport 80"
 		stop_daemon 1 $NFQWS
 		;;
 	    custom)
 		# PLACEHOLDER
 		echo !!! NEED ATTENTION !!!
--- a/readme.txt
+++ b/readme.txt
@ -210,9 +210,13 @@ tpws должен запускаться без фильтрации по ipset.
 Выберите MODE. Снимите комментарий только с одного из присваиваний.
 nfqws_ipset - использовать nfqws для модификации трафика на порт 80 только на IP из ipset "zapret"
 nfqws_ipset_https - использовать nfqws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
 nfqws_all - использовать nfqws для модификации трафика на порт 80 для всех IP
 nfqws_all_https - использовать nfqws для модификации трафика на порты 80 и 443 для всех IP
 tpws_ipset - использовать tpws для модификации трафика на порт 80 только на IP из ipset "zapret"
 tpws_ipset_https - использовать tpws для модификации трафика на порты 80 и 443 только на IP из ipset "zapret"
 tpws_all - использовать tpws для модификации трафика на порт 80 для всех IP
 tpws_all_https - использовать tpws для модификации трафика на порты 80 и 443 для всех IP
 tpws_hostlist - пропускать через tpws весь трафик на порт 80. tpws применяет дурение только к хостам из hostlist.
 ipset - только заполнить ipset. ipset может быть применен для заворота трафика на прокси или на VPN
 custom - нужно самому запрограммировать запуск демонов и правила iptables
@ -220,7 +224,8 @@ custom - нужно самому запрограммировать запуск
 Можно изменить опции дурения, применяемые демонами nfqws и tpws :
 NFQWS_OPT="--wsize=3 --hostspell=HOST"
-TPWS_OPT="--hostspell=HOST --split-http-req=method"
+TPWS_OPT_HTTP="--hostspell=HOST --split-http-req=method"
 TPWS_OPT_HTTPS="--split-pos=3"
 Пример установки на debian-подобную систему
 -------------------------------------------