From 719a5355b85ca48fbe2842975c4715570bc87df0 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 9 Dec 2021 20:05:15 +0300 Subject: [PATCH] blockcheck: tpws checks, more nfqws checks --- blockcheck.sh | 130 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 111 insertions(+), 19 deletions(-) diff --git a/blockcheck.sh b/blockcheck.sh index c335134..9f644a5 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -5,7 +5,10 @@ EXEDIR="$(cd "$EXEDIR"; pwd)" ZAPRET_BASE="$EXEDIR" [ -n "$QNUM" ] || QNUM=59780 +[ -n "$TPPORT" ] || TPPORT=993 +[ -n "$TPWS_UID" ] || TPWS_UID=1 [ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws" +[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws" [ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig" [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 DOMAIN=rutracker.org @@ -115,8 +118,8 @@ check_prerequisites() { echo \* checking prerequisites - [ -x "$NFQWS" ] && [ -x "$MDIG" ] || { - echo $NFQWS or $MDIG is not available. run $ZAPRET_BASE/install_bin.sh + [ -x "$NFQWS" ] && [ -x "$TPWS" ] && [ -x "$MDIG" ] || { + echo $NFQWS or $MDIG or $TPWS is not available. run $ZAPRET_BASE/install_bin.sh exitp 6 } @@ -183,10 +186,24 @@ nfqws_ipt_unprepare() # $1 - port IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM } +tpws_ipt_prepare() +{ + # $1 - port + IPT OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT +} +tpws_ipt_unprepare() +{ + # $1 - port + IPT_DEL OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT +} nfqws_start() { "$NFQWS" --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null & } +tpws_start() +{ + "$TPWS" --uid $TPWS_UID:$TPWS_UID --bind-addr=$LOCALHOST --port=$TPPORT "$@" >/dev/null & +} curl_test() { @@ -204,32 +221,51 @@ curl_test() fi return $code } -nfqws_curl_test() +ws_curl_test() { - # $1 - test function - # $2 - domain - # $3,$4,$5, ... - nfqws params - local code pid testf=$1 dom=$2 + # $1 - ws start function + # $2 - test function + # $3 - domain + # $4,$5,$6, ... - ws params + local code pid ws_start=$1 testf=$2 dom=$3 shift shift - echo - checking nfqws "$@" - nfqws_start "$@" + shift + $ws_start "$@" pid=$! + # let some time for tpws to initialize +sleep 1 curl_test $testf $dom code=$? killwait -9 $pid return $code } -check_domain_bypass() +tpws_curl_test() +{ + # $1 - test function + # $2 - domain + # $3,$4,$5, ... - tpws params + echo - checking tpws $3 $4 $5 $6 $7 $8 $9 + ws_curl_test tpws_start "$@" +} +nfqws_curl_test() +{ + # $1 - test function + # $2 - domain + # $3,$4,$5, ... - nfqws params + echo - checking nfqws $3 $4 $5 $6 $7 $8 $9 + ws_curl_test nfqws_start "$@" +} +nfqws_check_domain_bypass() { # $1 - test function # $2 - encrypted test : 1/0 # $3 - domain - local pid strategy tests='fake' ttls s sec="$2" found + local strategy tests='fake' ttls s sec="$2" found [ "$sec" = 0 ] && { - for s in '--hostcase' '--hostnospace' '--domcase'; do + for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" done } @@ -238,18 +274,30 @@ check_domain_bypass() if nfqws_curl_test $1 $3 $s; then strategy="${strategy:-$s}" else - tests="$tests split fake,split" + tests="$tests split fake,split2 fake,split" [ "$sec" = 0 ] && { s="$s --hostcase" nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" } + for pos in 1 2 4 5 10 50 100; do + s="--dpi-desync=split2 --dpi-desync-split-pos=$pos" + if nfqws_curl_test $1 $3 $s; then + strategy="${strategy:-$s}" + break + else + [ "$sec" = 0 ] && { + s="$s --hostcase" + nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" + } + fi + done fi s="--dpi-desync=disorder2" if nfqws_curl_test $1 $3 $s; then strategy="${strategy:-$s}" else - tests="$tests disorder fake,disorder" + tests="$tests disorder fake,disorder2 fake,disorder" fi ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL) @@ -299,6 +347,36 @@ check_domain_bypass() return 1 fi } +tpws_check_domain_bypass() +{ + # $1 - test function + # $2 - encrypted test : 1/0 + # $3 - domain + local s strategy sec="$2" + if [ "$sec" = 0 ]; then + for s in '--hostcase' '--hostspell=hoSt' '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' \ + '--hostdot' '--hosttab' '--hostnospace' '--methodspace' '--methodeol' '--unixeol' \ + '--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384'; do + tpws_curl_test $1 $3 $s && strategy="${strategy:-$s}" + done + else + for pos in 1 2 3 4 5 10 50 100; do + s="--split-pos=$pos" + tpws_curl_test $1 $3 $s && { + strategy="${strategy:-$s}" + break + } + done + fi + echo + if [ -n "$strategy" ]; then + echo "!!!!! working strategy found : tpws $strategy !!!!!" + return 0 + else + echo 'working strategy not found' + return 1 + fi +} check_domain() { @@ -314,7 +392,7 @@ check_domain() # in case was interrupted before nfqws_ipt_unprepare $2 - killall nfqws 2>/dev/null + killall nfqws tpws 2>/dev/null echo "- checking without DPI bypass" curl_test $1 $4 && return @@ -323,10 +401,20 @@ check_domain() [ $code = $c ] && return done + echo preparing tpws redirection + tpws_ipt_prepare $2 + + tpws_check_domain_bypass $1 $3 $4 + + echo clearing tpws redirection + tpws_ipt_unprepare $2 + + echo + echo preparing nfqws redirection nfqws_ipt_prepare $2 - check_domain_bypass $1 $3 $4 + nfqws_check_domain_bypass $1 $3 $4 echo clearing nfqws redirection nfqws_ipt_unprepare $2 @@ -346,7 +434,7 @@ ask_params() { echo echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN - echo NOTE ! this test will kill all nfqws processes. if you have already set up zapret you will need to restart it after test is complete. + echo NOTE ! this test will kill all nfqws and tpws processes. if you have already set up zapret you will need to restart it after test is complete. $ECHON "test this domain (default: $DOMAIN) : " local dom @@ -361,7 +449,9 @@ ask_params() exitp 1 } IPTABLES=iptables - [ "$IPV" = 6 ] && IPTABLES=ip6tables + LOCALHOST=127.0.0.1 + LOCALHOST_IPT=127.0.0.1 + [ "$IPV" = 6 ] && { IPTABLES=ip6tables; LOCALHOST=::1; LOCALHOST_IPT=[::1]; } ENABLE_HTTP=1 ask_yes_no_var ENABLE_HTTP "check http" @@ -484,9 +574,11 @@ sigint() # make sure we are not in a middle state that impacts connectivity echo echo terminating... + tpws_ipt_unprepare 80 + tpws_ipt_unprepare 443 nfqws_ipt_unprepare 80 nfqws_ipt_unprepare 443 - killall nfqws 2>/dev/null + killall nfqws tpws 2>/dev/null exitp 1 }