From 755915a3ba268f824afa2bf7d4f1dd9027023911 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 12 Oct 2024 21:28:51 +0300 Subject: [PATCH] init.d: number pools. FW_EXTRA. nft insert. customs reorder --- common/base.sh | 19 +++++ common/custom.sh | 17 +++++ common/ipt.sh | 6 +- common/nft.sh | 30 +++++--- common/pf.sh | 5 +- docs/changes.txt | 5 ++ docs/readme.txt | 56 +++++++++------ init.d/macos/custom.d.examples/50-extra-tpws | 23 +++--- .../{10-inherit-tpws => 90-inherit-tpws} | 0 ...herit-tpws-socks => 90-inherit-tpws-socks} | 0 .../openwrt/custom.d.examples/10-inherit-tpws | 2 +- .../custom.d.examples/10-inherit-tpws-socks | 2 +- .../10-inherit-tpws4http-nfqws4https | 35 +++++++++ init.d/openwrt/custom.d.examples/50-dht4all | 11 ++- init.d/openwrt/custom.d.examples/50-discord | 8 +-- init.d/openwrt/custom.d.examples/50-quic4all | 10 +-- .../50-tpws4http-nfqws4https | 71 ------------------- .../10-inherit-tpws4http-nfqws4https | 35 +++++++++ init.d/sysv/custom.d.examples/50-dht4all | 12 ++-- init.d/sysv/custom.d.examples/50-discord | 8 +-- init.d/sysv/custom.d.examples/50-quic4all | 12 ++-- .../50-tpws4http-nfqws4https | 71 ------------------- 22 files changed, 216 insertions(+), 222 deletions(-) rename init.d/macos/custom.d.examples/{10-inherit-tpws => 90-inherit-tpws} (100%) rename init.d/macos/custom.d.examples/{10-inherit-tpws-socks => 90-inherit-tpws-socks} (100%) create mode 100644 init.d/openwrt/custom.d.examples/10-inherit-tpws4http-nfqws4https delete mode 100644 init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https create mode 100644 init.d/sysv/custom.d.examples/10-inherit-tpws4http-nfqws4https delete mode 100644 init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https diff --git a/common/base.sh b/common/base.sh index 7c772ef..39a3872 100644 --- a/common/base.sh +++ b/common/base.sh @@ -329,6 +329,25 @@ win_process_exists() tasklist /NH /FI "IMAGENAME eq ${1}.exe" | grep -q "^${1}.exe" } +alloc_num() +{ + # $1 - source var name + # $2 - target var name + # $3 - min + # $4 - max + + local v + eval v="\$$2" + # do not replace existing value + [ -n "$v" ] && return + eval v="\$$1" + [ -n "$v" ] || v=$3 + eval $2="$v" + v=$((v + 1)) + [ $v -gt $4 ] && v=$3 + eval $1="$v" +} + std_ports() { HTTP_PORTS=${HTTP_PORTS:-80} diff --git a/common/custom.sh b/common/custom.sh index 40b65a7..db98837 100644 --- a/common/custom.sh +++ b/common/custom.sh @@ -23,3 +23,20 @@ custom_runner() } } } + +alloc_tpws_port() +{ + # $1 - target var name + alloc_num NUMPOOL_TPWS_PORT $1 910 979 +} +alloc_qnum() +{ + # $1 - target var name + alloc_num NUMPOOL_QNUM $1 65400 65499 +} +alloc_dnum() +{ + # alloc daemon number + # $1 - target var name + alloc_num NUMPOOL_DNUM $1 1000 1999 +} diff --git a/common/ipt.sh b/common/ipt.sh index c134d82..9f6b33f 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -3,15 +3,15 @@ readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=p ipt() { - iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@" + iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -I "$@" $FW_EXTRA_POST } ipta() { - iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@" + iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null || iptables $FW_EXTRA_PRE -A "$@" $FW_EXTRA_POST } ipt_del() { - iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@" + iptables $FW_EXTRA_PRE -C "$@" $FW_EXTRA_POST >/dev/null 2>/dev/null && iptables $FW_EXTRA_PRE -D "$@" $FW_EXTRA_POST } ipt_add_del() { diff --git a/common/nft.sh b/common/nft.sh index 4465676..0fdf347 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -199,7 +199,15 @@ nft_add_rule() # $2,$3,... - rule(s) local chain="$1" shift - nft add rule inet $ZAPRET_NFT_TABLE $chain "$@" + nft add rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@" +} +nft_insert_rule() +{ + # $1 - chain + # $2,$3,... - rule(s) + local chain="$1" + shift + nft insert rule inet $ZAPRET_NFT_TABLE $chain $FW_EXTRA_PRE "$@" } nft_add_set_element() { @@ -227,6 +235,7 @@ nft_clean_nfqws_rule() nft_add_nfqws_flow_exempt_rule() { # $1 - rule (must be all filters in one var) + local FW_EXTRA_POST= FW_EXTRA_PRE= nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\" # do not need this because of oifname @wanif/@wanif6 filter in forward chain #nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\" @@ -236,6 +245,7 @@ nft_add_flow_offload_exemption() # "$1" - rule for ipv4 # "$2" - rule for ipv6 # "$3" - comment + local FW_EXTRA_POST= FW_EXTRA_PRE= [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\" [ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\" } @@ -399,7 +409,7 @@ nft_only() nft_print_op() { - echo "Adding nftables ipv$3 rule for $2 : $1" + echo "Inserting nftables ipv$3 rule for $2 : $1" } _nft_fw_tpws4() { @@ -410,8 +420,8 @@ _nft_fw_tpws4() [ "$DISABLE_IPV4" = "1" -o -z "$1" ] || { local filter="$1" port="$2" nft_print_op "$filter" "tpws (port $2)" 4 - nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port - nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port + nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port + nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port prepare_route_localnet } } @@ -425,9 +435,9 @@ _nft_fw_tpws6() [ "$DISABLE_IPV6" = "1" -o -z "$1" ] || { local filter="$1" port="$2" DNAT6 i nft_print_op "$filter" "tpws (port $port)" 6 - nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port + nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port [ -n "$3" ] && { - nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port + nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port for i in $3; do _dnat6_target $i DNAT6 # can be multiple tpws processes on different ports @@ -476,7 +486,7 @@ _nft_fw_nfqws_post4() nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4 rule="${3:+oifname @wanif }$filter ip daddr != @nozapret" is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT" - nft_add_rule $chain $rule $setmark queue num $port bypass + nft_insert_rule $chain $rule $setmark $FW_EXTRA_POST queue num $port bypass nft_add_nfqws_flow_exempt_rule "$rule" } } @@ -491,7 +501,7 @@ _nft_fw_nfqws_post6() nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6 rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6" is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT" - nft_add_rule $chain $rule $setmark queue num $port bypass + nft_insert_rule $chain $rule $setmark $FW_EXTRA_POST queue num $port bypass nft_add_nfqws_flow_exempt_rule "$rule" } } @@ -515,7 +525,7 @@ _nft_fw_nfqws_pre4() local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4 rule="${3:+iifname @wanif }$filter ip saddr != @nozapret" - nft_add_rule $(get_prechain) $rule queue num $port bypass + nft_insert_rule $(get_prechain) $rule $FW_EXTRA_POST queue num $port bypass } } _nft_fw_nfqws_pre6() @@ -528,7 +538,7 @@ _nft_fw_nfqws_pre6() local filter="$1" port="$2" rule nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6 rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6" - nft_add_rule $(get_prechain) $rule queue num $port bypass + nft_insert_rule $(get_prechain) $rule $FW_EXTRA_POST queue num $port bypass } } nft_fw_nfqws_pre() diff --git a/common/pf.sh b/common/pf.sh index 4516a00..ed3945f 100644 --- a/common/pf.sh +++ b/common/pf.sh @@ -108,8 +108,9 @@ pf_anchor_zapret_tables() } pf_nat_reorder_rules() { - # this is dirty hack to move rdr above route-to and remove route-to dups - sort -rfu + # this is dirty hack to move rdr above route-to + # use only first word as a key and preserve order within a single key + sort -srfk 1,1 } pf_anchor_port_target() { diff --git a/docs/changes.txt b/docs/changes.txt index ec76971..82cadfd 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -323,3 +323,8 @@ v64: blockcheck: warn if dpi bypass software is already running blockcheck: TPWS_EXTRA, NFQWS_EXTRA init.d: multiple custom scripts + +v65: + +init.d: dynamic number allocation for dnum,tpws_port,qnum +init.d: FW_EXTRA_PRE, FW_EXTRA_POST diff --git a/docs/readme.txt b/docs/readme.txt index 759f235..a1179e5 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -1579,9 +1579,11 @@ custom код вынесен в отдельные shell includes. /opt/zapret/init.d/macos/custom Он считается устаревшим. Актуальный вариант - помещать отдельные скрипты там же, но в директорию "custom.d". Она будет просканирована стандартным образом, т.е. в алфавитном порядке, и каждый скрипт будет применен. -Рядом имеется "custom.d.examples". Это готовые скрипты, который можно копировать в "custom.d". +Рядом имеется "custom.d.examples". Это готовые скрипты, которые можно копировать в "custom.d". Особо стоит отметить "10-inherit-*". Они наследуют стандартные режимы nfqws/tpws/tpws-socks. Полезно, чтобы не писать код заново. Достаточно лишь скопировать соответствующий файл. +Можно наследовать и более сложным образом. +"10-inherit-tpws4http-nfqws4https" наследует для http tpws, а для https и quic - nfqws. Для linux пишется код в функции zapret_custom_daemons @@ -1594,18 +1596,41 @@ zapret_custom_firewall_v4 zapret_custom_firewall_v6 zapret_custom_daemons поднимает демоны nfqws/tpws в нужном вам количестве и с нужными вам параметрами. -Особо обратите внимание на номер демона в функциях "run_daemon" и "do_daemon". +Для систем традиционного linux (sysv) и MacOS в первом параметре передается код операции : 1 = запуск, 0 = останов. +Для openwrt логика останова отсутствует за ненадобностью. +Схема запуска демонов в openwrt отличается - используется procd. + +zapret_custom_firewall поднимает и убирает правила iptables. +В первом параметре передается код операции : 1 = запуск, 0 = останов. + +zapret_custom_firewall_nft поднимает правила nftables. +Логика останова отсутствует за ненадобностью. + +Если вам не нужны iptables или nftables - можете не писать соответствующую функцию. + +В linux можно использовать локальные переменные FW_EXTRA_PRE и FW_EXTRA_POST. +FW_EXTRA_PRE добавляет код к правилам ip/nf tables до кода, генерируемого функциями-хелперами. +FW_EXTRA_POST добавляет код после. + +В linux функции-хелперы добавляют правило в начало цепочек, то есть перед уже имеющимися. +Поэтому специализации должны идти после более общих вариантов. +Поэтому наследования идут с префиксом 10, а остальные custom скрипты с префиксом 50. +Допустим, у вас есть особые правила для IP подсети youtube. Порты те же самые. +Включен и общий обход. Чтобы youtube пошел приоритетом, скрипт должен применяться после +общего обхода. +Для macos правило обратное. Там правила добавляются в конец. Поэтому inherit скрипты +имеют префикс 90. + +В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout, +содержащий правила для pf-якоря. Остальное сделает обертка. + +Особо обратите внимание на номер демона в функциях "run_daemon" и "do_daemon", номера портов tpws +и очередей nfqueue. Они должны быть уникальными во всех скриптах. При накладке будет ошибка. -Так же следует избегать пересечения номеров портов tpws и очередей nfqws. -При пересечении какой-то из демонов не запустится. -Чтобы как-то нивелировать эту проблему, в examples используется переменная DNUM. -На ее базе считается диапазон номеров очередей (5 шт), которые использует этот скрипт. -При таком подходе достаточно, чтобы DNUM был везде уникален. -Поскольку номера очереди и портов имеют нумерацию до 65536, можно использовать DNUM до 13106. -Однако, следует оставить номера очереди 200-299 для стандартных режимов и не использовать их. +Поэтому используйте функции динамического получения этих значений из пула. custom скрипты могут использовать переменные из config. Можно помещать в config свои переменные -и использовать их в скриптах. +и задействовать их в скриптах. Можно использовать функции-хелперы. Они являются частью общего пространства функций shell. Полезные функции можно взять из примеров скриптов. Так же смотрите "common/*.sh". Используя хелпер функции, вы избавитесь от необходимости учитывать все возможные случаи @@ -1613,17 +1638,6 @@ custom скрипты могут использовать переменные Хелперы это учитывают, вам нужно сосредоточиться лишь на фильтрах {ip,nf}tables и параметрах демонов. -Код для openwrt и sysv немного отличается. В sysv нужно обрабатывать и запуск, и остановку демонов. -Запуск это или остановка передается в параметре $1 (0 или 1). -В openwrt за остановку отвечает procd. - -Для фаервола в linux кастом пишется отдельно для iptables и nftables. Все очень похоже, но отличается -написание фильтров и названия процедур хелперов. Если вам не нужны iptables или nftables - -можете не писать соответствующую функцию. - -В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout, -содержащий правила для pf-якоря. Остальное сделает обертка. - Простая установка ----------------- diff --git a/init.d/macos/custom.d.examples/50-extra-tpws b/init.d/macos/custom.d.examples/50-extra-tpws index dfe6d10..f968ee0 100644 --- a/init.d/macos/custom.d.examples/50-extra-tpws +++ b/init.d/macos/custom.d.examples/50-extra-tpws @@ -1,20 +1,21 @@ # this script is an example describing how to run tpws on a custom port -DNUM=100 -TPPORT_MY=${TPPORT_MY:-987} -TPWS_OPT_MY=${TPWS_OPT_MY:-987} -TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}" -DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009} +TPWS_OPT_EXTRA=${TPWS_OPT_EXTRA:---split-pos=2} +TPWS_OPT_SUFFIX_EXTRA="${TPWS_OPT_SUFFIX_EXTRA:-}" +DPORTS_EXTRA=${DPORTS_EXTRA:-20443,20444,30000-30009} + +alloc_dnum DNUM_EXTRA_TPWS +alloc_tpws_port TPPORT_EXTRA_TPWS zapret_custom_daemons() { # $1 - 1 - run, 0 - stop - local opt="--user=root --port=$TPPORT_MY" + local opt="--user=root --port=$TPPORT_EXTRA_TPWS" tpws_apply_binds opt - opt="$opt $TPWS_OPT_MY" + opt="$opt $TPWS_OPT_EXTRA" filter_apply_hostlist_target opt - filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY" - do_daemon $1 $DNUM "$TPWS" "$opt" + filter_apply_suffix opt "$TPWS_OPT_SUFFIX_EXTRA" + do_daemon $1 $DNUM_EXTRA_TPWS "$TPWS" "$opt" } # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors @@ -22,9 +23,9 @@ zapret_custom_daemons() zapret_custom_firewall_v4() { - pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY) + pf_anchor_zapret_v4_tpws $TPPORT_EXTRA_TPWS $(replace_char - : $DPORTS_EXTRA) } zapret_custom_firewall_v6() { - pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY) + pf_anchor_zapret_v6_tpws $TPPORT_EXTRA_TPWS $(replace_char - : $DPORTS_EXTRA) } diff --git a/init.d/macos/custom.d.examples/10-inherit-tpws b/init.d/macos/custom.d.examples/90-inherit-tpws similarity index 100% rename from init.d/macos/custom.d.examples/10-inherit-tpws rename to init.d/macos/custom.d.examples/90-inherit-tpws diff --git a/init.d/macos/custom.d.examples/10-inherit-tpws-socks b/init.d/macos/custom.d.examples/90-inherit-tpws-socks similarity index 100% rename from init.d/macos/custom.d.examples/10-inherit-tpws-socks rename to init.d/macos/custom.d.examples/90-inherit-tpws-socks diff --git a/init.d/openwrt/custom.d.examples/10-inherit-tpws b/init.d/openwrt/custom.d.examples/10-inherit-tpws index ae2bdf9..e9c5f69 100644 --- a/init.d/openwrt/custom.d.examples/10-inherit-tpws +++ b/init.d/openwrt/custom.d.examples/10-inherit-tpws @@ -4,7 +4,7 @@ OVERRIDE=tpws zapret_custom_daemons() { - # $1 - 1 - run, 0 - stop + # stop logic is managed by procd MODE_OVERRIDE=$OVERRIDE start_daemons_procd } diff --git a/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks b/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks index 8336b72..b4e686a 100644 --- a/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks +++ b/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks @@ -4,7 +4,7 @@ OVERRIDE=tpws-socks zapret_custom_daemons() { - # $1 - 1 - run, 0 - stop + # stop logic is managed by procd MODE_OVERRIDE=$OVERRIDE start_daemons_procd } diff --git a/init.d/openwrt/custom.d.examples/10-inherit-tpws4http-nfqws4https b/init.d/openwrt/custom.d.examples/10-inherit-tpws4http-nfqws4https new file mode 100644 index 0000000..752b1a2 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/10-inherit-tpws4http-nfqws4https @@ -0,0 +1,35 @@ +# this custom script demonstrates how to apply tpws to http and nfqws to https and quic +# it's desired that inherited basic rules are low priority to allow specializations and exceptions in other custom scripts + +nfqws_tpws_inheritor() +{ + # $1 - inherited function + # $2 - 1 - run, 0 - stop + + [ "$MODE_HTTP" = "1" ] && { + MODE_OVERRIDE=tpws MODE_HTTPS=0 MODE_QUIC=0 $1 $2 + } + + [ "$MODE_HTTPS" = "1" -o "$MODE_QUIC" = "1" ] && { + MODE_OVERRIDE=nfqws MODE_HTTP=0 $1 $2 + } +} + +zapret_custom_daemons() +{ + # stop logic is managed by procd + + nfqws_tpws_inheritor start_daemons_procd +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + nfqws_tpws_inheritor zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + nfqws_tpws_inheritor zapret_apply_firewall_rules_nft +} diff --git a/init.d/openwrt/custom.d.examples/50-dht4all b/init.d/openwrt/custom.d.examples/50-dht4all index 3126658..7df570d 100644 --- a/init.d/openwrt/custom.d.examples/50-dht4all +++ b/init.d/openwrt/custom.d.examples/50-dht4all @@ -1,15 +1,15 @@ # this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -DNUM=101 -QNUM2=$(($DNUM * 5)) +alloc_dnum DNUM_DHT4ALL +alloc_qnum QNUM_DHT4ALL zapret_custom_daemons() { # stop logic is managed by procd local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - run_daemon $DNUM $NFQWS "$opt" + run_daemon $DNUM_DHT4ALL $NFQWS "$opt" } zapret_custom_firewall() { @@ -22,7 +22,7 @@ zapret_custom_firewall() f='-p udp -m length --length 109:407 -m u32 --u32' uf4='0>>22&0x3C@8>>16=0x6431' uf6='48>>16=0x6431' - fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 + fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM_DHT4ALL } zapret_custom_firewall_nft() @@ -34,6 +34,5 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" - nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2 + nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM_DHT4ALL } - diff --git a/init.d/openwrt/custom.d.examples/50-discord b/init.d/openwrt/custom.d.examples/50-discord index 92d1400..21595f3 100644 --- a/init.d/openwrt/custom.d.examples/50-discord +++ b/init.d/openwrt/custom.d.examples/50-discord @@ -6,16 +6,16 @@ NFQWS_OPT_DESYNC_DISCORD="${NFQWS_OPT_DESYNC_DISCORD:---dpi-desync=fake --dpi-de DISCORD_PORTS=${DISCORD_PORTS:-50000-65535} DISCORD_SUBNETS="${DISCORD_SUBNETS:-5.200.14.249 18.165.140.0/25 23.227.38.74 34.0.48.0/24 34.0.49.64/26 34.0.50.0/25 34.0.51.0/24 34.0.52.0/22 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.128/25 34.0.63.228 34.0.64.0/23 34.0.66.130 34.0.82.140 34.0.129.128/25 34.0.130.0/24 34.0.131.130 34.0.132.139 34.0.133.75 34.0.134.0/24 34.0.135.251 34.0.136.51 34.0.137.0/24 34.0.139.0/24 34.0.140.0/23 34.0.142.0/25 34.0.144.0/23 34.0.146.0/24 34.0.148.25 34.0.149.101 34.0.151.0/25 34.0.153.0/24 34.0.155.0/24 34.0.156.101 34.0.157.0/25 34.0.158.247 34.0.159.188 34.0.192.0/25 34.0.193.0/24 34.0.194.0/24 34.0.195.172 34.0.196.200/29 34.0.197.81 34.0.198.25 34.0.199.0/24 34.0.200.0/24 34.0.201.81 34.0.202.34 34.0.203.0/24 34.0.204.0/23 34.0.206.0/25 34.0.207.0/25 34.0.208.195 34.0.209.0/24 34.0.210.20 34.0.211.0/26 34.0.212.0/24 34.0.213.64/26 34.0.215.128/25 34.0.216.238 34.0.217.0/24 34.0.218.83 34.0.220.103 34.0.221.0/24 34.0.222.193 34.0.223.68 34.0.227.0/24 34.0.240.0/21 34.0.248.0/23 34.0.250.0/24 34.0.251.0/25 34.1.216.0/24 34.1.221.166 35.207.64.0/23 35.207.67.116 35.207.71.0/24 35.207.72.32 35.207.73.0/24 35.207.74.0/24 35.207.75.128/25 35.207.76.128/26 35.207.77.0/24 35.207.78.129 35.207.79.0/24 35.207.80.76 35.207.81.248/30 35.207.82.0/23 35.207.84.0/24 35.207.85.160 35.207.86.41 35.207.87.184 35.207.89.188 35.207.91.146 35.207.92.230 35.207.95.0/24 35.207.97.174 35.207.99.134 35.207.100.64/26 35.207.101.130 35.207.103.64/26 35.207.104.0/24 35.207.106.128/26 35.207.107.19 35.207.108.192/27 35.207.109.185 35.207.110.0/24 35.207.111.174 35.207.114.16 35.207.115.163 35.207.116.51 35.207.117.0/24 35.207.121.204 35.207.122.0/25 35.207.124.145 35.207.125.116 35.207.126.30 35.207.129.0/24 35.207.131.128/27 35.207.132.247 35.207.135.147 35.207.136.69 35.207.137.0/24 35.207.139.0/24 35.207.140.241 35.207.141.119 35.207.142.0/24 35.207.143.96/27 35.207.144.0/25 35.207.145.0/24 35.207.146.89 35.207.147.0/24 35.207.149.0/24 35.207.150.0/24 35.207.151.61 35.207.153.117 35.207.154.0/24 35.207.155.128/25 35.207.156.254 35.207.157.7 35.207.158.192 35.207.160.160 35.207.162.239 35.207.163.0/24 35.207.164.0/25 35.207.165.147 35.207.166.0/25 35.207.167.0/24 35.207.168.116 35.207.170.0/23 35.207.172.0/24 35.207.174.55 35.207.176.128/25 35.207.178.0/24 35.207.180.152 35.207.181.76 35.207.182.125 35.207.184.101 35.207.185.192 35.207.186.128/25 35.207.187.228 35.207.188.0/24 35.207.189.0/25 35.207.190.194 35.207.191.64/26 35.207.193.165 35.207.195.75 35.207.196.0/24 35.207.198.0/23 35.207.201.186 35.207.202.169 35.207.205.211 35.207.207.4 35.207.209.0/25 35.207.210.191 35.207.211.253 35.207.213.97 35.207.214.0/24 35.207.220.147 35.207.221.58 35.207.222.105 35.207.224.151 35.207.225.210 35.207.227.0/24 35.207.229.212 35.207.232.26 35.207.234.182 35.207.238.0/24 35.207.240.0/24 35.207.245.0/24 35.207.249.0/24 35.207.250.212 35.207.251.0/27 35.212.4.134 35.212.12.148 35.212.88.11 35.212.102.50 35.212.111.0/26 35.212.117.247 35.212.120.122 35.213.0.0/24 35.213.2.8 35.213.4.185 35.213.6.118 35.213.7.128/25 35.213.8.168 35.213.10.0/24 35.213.11.21 35.213.12.224/27 35.213.13.19 35.213.14.217 35.213.16.67 35.213.17.235 35.213.23.166 35.213.25.164 35.213.26.62 35.213.27.252 35.213.32.0/24 35.213.33.74 35.213.34.204 35.213.37.81 35.213.38.186 35.213.39.253 35.213.42.0/24 35.213.43.79 35.213.45.0/24 35.213.46.136 35.213.49.17 35.213.50.0/24 35.213.51.213 35.213.52.0/25 35.213.53.0/24 35.213.54.0/24 35.213.56.0/25 35.213.59.0/24 35.213.61.58 35.213.65.0/24 35.213.67.0/24 35.213.68.192/26 35.213.70.151 35.213.72.128/25 35.213.73.245 35.213.74.131 35.213.78.0/24 35.213.79.137 35.213.80.0/25 35.213.83.128/25 35.213.84.245 35.213.85.0/24 35.213.88.145 35.213.89.80/28 35.213.90.0/24 35.213.91.195 35.213.92.0/24 35.213.93.254 35.213.94.78 35.213.95.145 35.213.96.87 35.213.98.0/24 35.213.99.126 35.213.101.214 35.213.102.0/24 35.213.105.0/24 35.213.106.128/25 35.213.107.158 35.213.109.0/24 35.213.110.40 35.213.111.0/25 35.213.115.0/25 35.213.120.0/24 35.213.122.0/24 35.213.124.89 35.213.125.40 35.213.126.185 35.213.127.0/24 35.213.128.0/22 35.213.132.0/23 35.213.134.140 35.213.135.0/24 35.213.136.0/23 35.213.138.128/25 35.213.139.0/24 35.213.140.0/25 35.213.141.164 35.213.142.128/25 35.213.143.0/24 35.213.144.0/22 35.213.148.0/23 35.213.150.0/24 35.213.152.0/23 35.213.154.137 35.213.155.134 35.213.156.144 35.213.157.0/24 35.213.158.64/26 35.213.160.90 35.213.161.253 35.213.162.0/25 35.213.163.0/24 35.213.164.0/23 35.213.166.106 35.213.167.160/27 35.213.168.0/24 35.213.169.179 35.213.170.0/24 35.213.171.201 35.213.172.159 35.213.173.0/24 35.213.174.128/25 35.213.175.128/26 35.213.176.0/24 35.213.177.0/25 35.213.179.139 35.213.180.0/24 35.213.181.0/25 35.213.182.0/23 35.213.184.0/23 35.213.186.70 35.213.187.0/24 35.213.188.128/25 35.213.190.158 35.213.191.0/24 35.213.192.240/31 35.213.193.74 35.213.194.0/25 35.213.195.178 35.213.196.38 35.213.197.68 35.213.198.0/23 35.213.200.0/23 35.213.202.0/25 35.213.203.195 35.213.204.32/27 35.213.205.170 35.213.207.128/25 35.213.208.85 35.213.210.0/24 35.213.211.176/29 35.213.212.0/24 35.213.213.225 35.213.214.0/25 35.213.215.255 35.213.217.0/24 35.213.218.248 35.213.219.0/25 35.213.220.211 35.213.221.0/24 35.213.222.215 35.213.223.0/24 35.213.225.0/24 35.213.227.227 35.213.229.17 35.213.230.89 35.213.231.0/24 35.213.233.0/24 35.213.234.134 35.213.236.0/24 35.213.237.212 35.213.238.0/24 35.213.240.212 35.213.241.0/24 35.213.242.10 35.213.243.219 35.213.244.146 35.213.245.119 35.213.246.0/23 35.213.249.79 35.213.250.0/24 35.213.251.74 35.213.252.0/24 35.213.253.155 35.213.254.89 35.214.128.248 35.214.129.220 35.214.130.217 35.214.131.144 35.214.132.189 35.214.133.0/24 35.214.134.163 35.214.137.0/24 35.214.138.0/25 35.214.140.0/24 35.214.142.0/24 35.214.143.41 35.214.144.26 35.214.145.200 35.214.146.9 35.214.147.135 35.214.148.89 35.214.149.110 35.214.151.128/25 35.214.152.0/24 35.214.156.115 35.214.158.181 35.214.159.128/25 35.214.160.128/25 35.214.161.217 35.214.162.0/24 35.214.163.28 35.214.165.102 35.214.167.77 35.214.169.0/24 35.214.170.2 35.214.171.0/25 35.214.172.128/25 35.214.173.0/24 35.214.175.0/24 35.214.177.183 35.214.179.46 35.214.180.0/23 35.214.184.179 35.214.185.28 35.214.186.3 35.214.187.0/24 35.214.191.0/24 35.214.192.128/25 35.214.193.0/24 35.214.194.128/25 35.214.195.0/25 35.214.196.64/26 35.214.197.0/24 35.214.198.7 35.214.199.224 35.214.201.0/25 35.214.203.155 35.214.204.0/23 35.214.207.0/24 35.214.208.128/25 35.214.209.64 35.214.210.0/24 35.214.211.3 35.214.212.64/26 35.214.213.0/25 35.214.214.0/24 35.214.215.64/26 35.214.216.0/23 35.214.218.140 35.214.219.0/24 35.214.220.149 35.214.221.0/24 35.214.222.149 35.214.223.0/24 35.214.224.71 35.214.225.0/24 35.214.226.0/23 35.214.228.0/23 35.214.231.187 35.214.233.8 35.214.235.38 35.214.237.0/24 35.214.238.0/25 35.214.239.0/24 35.214.240.87 35.214.241.0/24 35.214.243.21 35.214.244.0/24 35.214.245.16/28 35.214.246.106 35.214.248.119 35.214.249.154 35.214.250.0/24 35.214.251.128/25 35.214.252.187 35.214.253.0/24 35.214.255.154 35.215.72.85 35.215.73.65 35.215.83.0 35.215.108.111 35.215.115.120 35.215.126.35 35.215.127.34 35.215.128.0/21 35.215.136.0/26 35.215.137.0/24 35.215.138.0/23 35.215.140.0/24 35.215.141.64/27 35.215.142.0/24 35.215.143.83 35.215.144.128/25 35.215.145.0/24 35.215.146.0/24 35.215.147.86 35.215.148.0/23 35.215.150.0/26 35.215.151.0/24 35.215.152.0/24 35.215.153.128/25 35.215.154.240/28 35.215.155.20 35.215.156.0/24 35.215.158.0/23 35.215.160.192/26 35.215.161.0/24 35.215.163.0/24 35.215.164.0/24 35.215.165.236 35.215.166.128/25 35.215.167.128/25 35.215.168.0/24 35.215.169.12 35.215.170.0/23 35.215.172.0/22 35.215.176.0/24 35.215.177.72 35.215.178.0/24 35.215.179.161 35.215.180.0/22 35.215.184.253 35.215.185.64/26 35.215.186.0/25 35.215.187.0/24 35.215.188.0/23 35.215.190.0/24 35.215.191.61 35.215.192.0/23 35.215.194.192/28 35.215.195.0/24 35.215.196.0/25 35.215.197.0/25 35.215.198.230 35.215.199.204 35.215.200.0/23 35.215.202.0/24 35.215.203.0/25 35.215.204.128/25 35.215.205.0/25 35.215.206.0/23 35.215.208.0/24 35.215.209.0/25 35.215.210.0/23 35.215.212.0/22 35.215.216.0/22 35.215.221.0/24 35.215.222.128/25 35.215.223.126 35.215.224.0/23 35.215.226.0/24 35.215.227.0/25 35.215.228.0/24 35.215.229.64 35.215.230.89 35.215.231.0/24 35.215.232.0/24 35.215.233.0/25 35.215.234.37 35.215.235.0/24 35.215.238.0/25 35.215.239.119 35.215.240.0/24 35.215.241.128/25 35.215.242.0/25 35.215.243.0/24 35.215.244.0/23 35.215.246.222 35.215.247.0/24 35.215.248.0/22 35.215.252.0/24 35.215.253.118 35.215.254.0/23 35.217.0.0/24 35.217.1.64/26 35.217.2.5 35.217.3.0/24 35.217.4.72 35.217.5.0/25 35.217.6.0/24 35.217.8.0/25 35.217.9.0/24 35.217.11.186 35.217.12.0/24 35.217.14.192/26 35.217.15.65 35.217.16.75 35.217.17.128/25 35.217.18.0/24 35.217.19.183 35.217.20.0/24 35.217.21.128/25 35.217.22.128/25 35.217.23.128/25 35.217.24.0/24 35.217.25.81 35.217.26.0/24 35.217.27.128/25 35.217.28.128/25 35.217.29.0/24 35.217.30.0/25 35.217.31.0/25 35.217.32.128/25 35.217.33.0/24 35.217.35.128/25 35.217.36.0/23 35.217.38.179 35.217.39.186 35.217.40.176 35.217.41.204 35.217.43.0/24 35.217.45.248 35.217.46.0/24 35.217.47.128/25 35.217.48.195 35.217.49.160/27 35.217.50.0/25 35.217.51.0/24 35.217.52.117 35.217.53.128/25 35.217.54.0/25 35.217.55.96/27 35.217.56.6 35.217.57.184 35.217.58.0/24 35.217.59.64/26 35.217.60.0/24 35.217.61.128/25 35.217.62.0/24 35.217.63.128/25 35.219.225.149 35.219.226.57 35.219.227.0/24 35.219.228.37 35.219.229.128/25 35.219.230.0/23 35.219.235.0/24 35.219.236.198 35.219.238.115 35.219.239.0/24 35.219.241.0/24 35.219.242.221 35.219.243.191 35.219.244.1 35.219.245.0/24 35.219.246.159 35.219.247.0/26 35.219.248.0/24 35.219.249.126 35.219.251.186 35.219.252.0/23 35.219.254.0/24 64.233.161.207 64.233.162.207 64.233.163.207 64.233.164.207 64.233.165.207 66.22.196.0/26 66.22.197.0/24 66.22.198.0/26 66.22.199.0/24 66.22.200.0/26 66.22.202.0/26 66.22.204.0/24 66.22.206.0/24 66.22.208.0/25 66.22.210.0/26 66.22.212.0/24 66.22.214.0/24 66.22.216.0/23 66.22.220.0/25 66.22.221.0/24 66.22.222.0/23 66.22.224.0/25 66.22.225.0/26 66.22.226.0/25 66.22.227.0/25 66.22.228.0/22 66.22.233.0/24 66.22.234.0/24 66.22.236.0/23 66.22.238.0/24 66.22.240.0/22 66.22.244.0/23 66.22.248.0/24 74.125.131.207 74.125.205.207 104.17.51.93 104.17.117.93 104.18.4.161 104.18.5.161 104.18.8.105 104.18.9.105 104.18.30.128 104.18.31.128 104.21.2.204 104.21.25.51 104.21.40.151 104.21.59.128 104.21.72.221 104.21.82.160 108.177.14.207 138.128.140.240/28 142.250.150.207 142.251.1.207 162.159.128.232/30 162.159.129.232/30 162.159.130.232/30 162.159.133.232/30 162.159.134.232/30 162.159.135.232/30 162.159.136.232/30 162.159.137.232/30 162.159.138.232/30 172.65.202.19 172.66.41.34 172.66.42.222 172.67.152.224/28 172.67.155.163 172.67.159.89 172.67.177.131 172.67.222.182 173.194.73.207 173.194.220.207 173.194.221.207 173.194.222.207 188.114.96.2 188.114.97.2 188.114.98.224 188.114.99.224 204.11.56.48 209.85.233.207}" -DNUM=105 -QNUM_DISCORD=$(($DNUM * 5)) DISCORD_SET_NAME=discord +alloc_dnum DNUM_DISCORD +alloc_qnum QNUM_DISCORD zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" - run_daemon $DNUM $NFQWS "$opt" + run_daemon $DNUM_DISCORD $NFQWS "$opt" } zapret_custom_firewall() @@ -43,7 +43,7 @@ zapret_custom_firewall() fw_nfqws_post $1 "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD [ "$1" = 1 ] || { - ipset destroy $DISCORD_SET_NAME + ipset destroy $DISCORD_SET_NAME 2>/dev/null } } diff --git a/init.d/openwrt/custom.d.examples/50-quic4all b/init.d/openwrt/custom.d.examples/50-quic4all index 7445344..7578f6b 100644 --- a/init.d/openwrt/custom.d.examples/50-quic4all +++ b/init.d/openwrt/custom.d.examples/50-quic4all @@ -2,15 +2,15 @@ # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -DNUM=102 -QNUM2=$(($DNUM * 5)) +alloc_dnum DNUM_QUIC4ALL +alloc_qnum QNUM_QUIC4ALL zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - run_daemon $DNUM $NFQWS "$opt" + run_daemon $DNUM_QUIC4ALL $NFQWS "$opt" } zapret_custom_firewall() { @@ -21,7 +21,7 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM_QUIC4ALL } zapret_custom_firewall_nft() @@ -33,5 +33,5 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" f="udp dport {$QUIC_PORTS}" - nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM_QUIC4ALL } diff --git a/init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https b/init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https deleted file mode 100644 index df18da8..0000000 --- a/init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https +++ /dev/null @@ -1,71 +0,0 @@ -# this custom script demonstrates how to apply tpws to http and nfqws to https -# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - local opt - - [ "$MODE_HTTP" = "1" ] && { - opt="--port=$TPPORT $TPWS_OPT" - filter_apply_hostlist_target opt - filter_apply_suffix opt "$TPWS_OPT_SUFFIX" - run_tpws 1 "$opt" - } - - [ "$MODE_HTTPS" = "1" ] && { - opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS" - filter_apply_hostlist_target opt - filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX" - run_daemon 2 $NFQWS "$opt" - } -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f4 f6 - local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)" - local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - - [ "$MODE_HTTP" = "1" ] && { - f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $TPPORT - } - - [ "$MODE_HTTPS" = "1" ] && { - f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM - # for modes that require incoming traffic - fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM - } -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local f4 f6 - local first_packet_only="$nft_connbytes 1-$(first_packets_for_mode)" - local desync="mark and $DESYNC_MARK == 0" - - [ "$MODE_HTTP" = "1" ] && { - f4="tcp dport {$HTTP_PORTS}" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $TPPORT - } - - [ "$MODE_HTTPS" = "1" ] && { - f4="tcp dport {$HTTPS_PORTS} $first_packet_only" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM - # for modes that require incoming traffic - nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM - } -} diff --git a/init.d/sysv/custom.d.examples/10-inherit-tpws4http-nfqws4https b/init.d/sysv/custom.d.examples/10-inherit-tpws4http-nfqws4https new file mode 100644 index 0000000..f05d75e --- /dev/null +++ b/init.d/sysv/custom.d.examples/10-inherit-tpws4http-nfqws4https @@ -0,0 +1,35 @@ +# this custom script demonstrates how to apply tpws to http and nfqws to https and quic +# it's desired that inherited basic rules are low priority to allow specializations and exceptions in other custom scripts + +nfqws_tpws_inheritor() +{ + # $1 - inherited function + # $2 - 1 - run, 0 - stop + + [ "$MODE_HTTP" = "1" ] && { + MODE_OVERRIDE=tpws MODE_HTTPS=0 MODE_QUIC=0 $1 $2 + } + + [ "$MODE_HTTPS" = "1" -o "$MODE_QUIC" = "1" ] && { + MODE_OVERRIDE=nfqws MODE_HTTP=0 $1 $2 + } +} + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + nfqws_tpws_inheritor zapret_do_daemons $1 +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + nfqws_tpws_inheritor zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + nfqws_tpws_inheritor zapret_apply_firewall_rules_nft +} diff --git a/init.d/sysv/custom.d.examples/50-dht4all b/init.d/sysv/custom.d.examples/50-dht4all index 735b2c5..c67404a 100644 --- a/init.d/sysv/custom.d.examples/50-dht4all +++ b/init.d/sysv/custom.d.examples/50-dht4all @@ -1,15 +1,15 @@ # this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -DNUM=101 -QNUM2=$(($DNUM * 5)) +alloc_dnum DNUM_DHT4ALL +alloc_qnum QNUM_DHT4ALL zapret_custom_daemons() { # stop logic is managed by procd - local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - do_nfqws $1 $DNUM "$opt" + local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" + do_nfqws $1 $DNUM_DHT4ALL "$opt" } zapret_custom_firewall() { @@ -22,7 +22,7 @@ zapret_custom_firewall() f='-p udp -m length --length 109:407 -m u32 --u32' uf4='0>>22&0x3C@8>>16=0x6431' uf6='48>>16=0x6431' - fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 + fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM_DHT4ALL } zapret_custom_firewall_nft() @@ -34,6 +34,6 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" - nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2 + nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM_DHT4ALL } diff --git a/init.d/sysv/custom.d.examples/50-discord b/init.d/sysv/custom.d.examples/50-discord index 487b4cd..82200e0 100644 --- a/init.d/sysv/custom.d.examples/50-discord +++ b/init.d/sysv/custom.d.examples/50-discord @@ -6,8 +6,8 @@ NFQWS_OPT_DESYNC_DISCORD="${NFQWS_OPT_DESYNC_DISCORD:---dpi-desync=fake --dpi-de DISCORD_PORTS=${DISCORD_PORTS:-50000-65535} DISCORD_SUBNETS="${DISCORD_SUBNETS:-5.200.14.249 18.165.140.0/25 23.227.38.74 34.0.48.0/24 34.0.49.64/26 34.0.50.0/25 34.0.51.0/24 34.0.52.0/22 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.128/25 34.0.63.228 34.0.64.0/23 34.0.66.130 34.0.82.140 34.0.129.128/25 34.0.130.0/24 34.0.131.130 34.0.132.139 34.0.133.75 34.0.134.0/24 34.0.135.251 34.0.136.51 34.0.137.0/24 34.0.139.0/24 34.0.140.0/23 34.0.142.0/25 34.0.144.0/23 34.0.146.0/24 34.0.148.25 34.0.149.101 34.0.151.0/25 34.0.153.0/24 34.0.155.0/24 34.0.156.101 34.0.157.0/25 34.0.158.247 34.0.159.188 34.0.192.0/25 34.0.193.0/24 34.0.194.0/24 34.0.195.172 34.0.196.200/29 34.0.197.81 34.0.198.25 34.0.199.0/24 34.0.200.0/24 34.0.201.81 34.0.202.34 34.0.203.0/24 34.0.204.0/23 34.0.206.0/25 34.0.207.0/25 34.0.208.195 34.0.209.0/24 34.0.210.20 34.0.211.0/26 34.0.212.0/24 34.0.213.64/26 34.0.215.128/25 34.0.216.238 34.0.217.0/24 34.0.218.83 34.0.220.103 34.0.221.0/24 34.0.222.193 34.0.223.68 34.0.227.0/24 34.0.240.0/21 34.0.248.0/23 34.0.250.0/24 34.0.251.0/25 34.1.216.0/24 34.1.221.166 35.207.64.0/23 35.207.67.116 35.207.71.0/24 35.207.72.32 35.207.73.0/24 35.207.74.0/24 35.207.75.128/25 35.207.76.128/26 35.207.77.0/24 35.207.78.129 35.207.79.0/24 35.207.80.76 35.207.81.248/30 35.207.82.0/23 35.207.84.0/24 35.207.85.160 35.207.86.41 35.207.87.184 35.207.89.188 35.207.91.146 35.207.92.230 35.207.95.0/24 35.207.97.174 35.207.99.134 35.207.100.64/26 35.207.101.130 35.207.103.64/26 35.207.104.0/24 35.207.106.128/26 35.207.107.19 35.207.108.192/27 35.207.109.185 35.207.110.0/24 35.207.111.174 35.207.114.16 35.207.115.163 35.207.116.51 35.207.117.0/24 35.207.121.204 35.207.122.0/25 35.207.124.145 35.207.125.116 35.207.126.30 35.207.129.0/24 35.207.131.128/27 35.207.132.247 35.207.135.147 35.207.136.69 35.207.137.0/24 35.207.139.0/24 35.207.140.241 35.207.141.119 35.207.142.0/24 35.207.143.96/27 35.207.144.0/25 35.207.145.0/24 35.207.146.89 35.207.147.0/24 35.207.149.0/24 35.207.150.0/24 35.207.151.61 35.207.153.117 35.207.154.0/24 35.207.155.128/25 35.207.156.254 35.207.157.7 35.207.158.192 35.207.160.160 35.207.162.239 35.207.163.0/24 35.207.164.0/25 35.207.165.147 35.207.166.0/25 35.207.167.0/24 35.207.168.116 35.207.170.0/23 35.207.172.0/24 35.207.174.55 35.207.176.128/25 35.207.178.0/24 35.207.180.152 35.207.181.76 35.207.182.125 35.207.184.101 35.207.185.192 35.207.186.128/25 35.207.187.228 35.207.188.0/24 35.207.189.0/25 35.207.190.194 35.207.191.64/26 35.207.193.165 35.207.195.75 35.207.196.0/24 35.207.198.0/23 35.207.201.186 35.207.202.169 35.207.205.211 35.207.207.4 35.207.209.0/25 35.207.210.191 35.207.211.253 35.207.213.97 35.207.214.0/24 35.207.220.147 35.207.221.58 35.207.222.105 35.207.224.151 35.207.225.210 35.207.227.0/24 35.207.229.212 35.207.232.26 35.207.234.182 35.207.238.0/24 35.207.240.0/24 35.207.245.0/24 35.207.249.0/24 35.207.250.212 35.207.251.0/27 35.212.4.134 35.212.12.148 35.212.88.11 35.212.102.50 35.212.111.0/26 35.212.117.247 35.212.120.122 35.213.0.0/24 35.213.2.8 35.213.4.185 35.213.6.118 35.213.7.128/25 35.213.8.168 35.213.10.0/24 35.213.11.21 35.213.12.224/27 35.213.13.19 35.213.14.217 35.213.16.67 35.213.17.235 35.213.23.166 35.213.25.164 35.213.26.62 35.213.27.252 35.213.32.0/24 35.213.33.74 35.213.34.204 35.213.37.81 35.213.38.186 35.213.39.253 35.213.42.0/24 35.213.43.79 35.213.45.0/24 35.213.46.136 35.213.49.17 35.213.50.0/24 35.213.51.213 35.213.52.0/25 35.213.53.0/24 35.213.54.0/24 35.213.56.0/25 35.213.59.0/24 35.213.61.58 35.213.65.0/24 35.213.67.0/24 35.213.68.192/26 35.213.70.151 35.213.72.128/25 35.213.73.245 35.213.74.131 35.213.78.0/24 35.213.79.137 35.213.80.0/25 35.213.83.128/25 35.213.84.245 35.213.85.0/24 35.213.88.145 35.213.89.80/28 35.213.90.0/24 35.213.91.195 35.213.92.0/24 35.213.93.254 35.213.94.78 35.213.95.145 35.213.96.87 35.213.98.0/24 35.213.99.126 35.213.101.214 35.213.102.0/24 35.213.105.0/24 35.213.106.128/25 35.213.107.158 35.213.109.0/24 35.213.110.40 35.213.111.0/25 35.213.115.0/25 35.213.120.0/24 35.213.122.0/24 35.213.124.89 35.213.125.40 35.213.126.185 35.213.127.0/24 35.213.128.0/22 35.213.132.0/23 35.213.134.140 35.213.135.0/24 35.213.136.0/23 35.213.138.128/25 35.213.139.0/24 35.213.140.0/25 35.213.141.164 35.213.142.128/25 35.213.143.0/24 35.213.144.0/22 35.213.148.0/23 35.213.150.0/24 35.213.152.0/23 35.213.154.137 35.213.155.134 35.213.156.144 35.213.157.0/24 35.213.158.64/26 35.213.160.90 35.213.161.253 35.213.162.0/25 35.213.163.0/24 35.213.164.0/23 35.213.166.106 35.213.167.160/27 35.213.168.0/24 35.213.169.179 35.213.170.0/24 35.213.171.201 35.213.172.159 35.213.173.0/24 35.213.174.128/25 35.213.175.128/26 35.213.176.0/24 35.213.177.0/25 35.213.179.139 35.213.180.0/24 35.213.181.0/25 35.213.182.0/23 35.213.184.0/23 35.213.186.70 35.213.187.0/24 35.213.188.128/25 35.213.190.158 35.213.191.0/24 35.213.192.240/31 35.213.193.74 35.213.194.0/25 35.213.195.178 35.213.196.38 35.213.197.68 35.213.198.0/23 35.213.200.0/23 35.213.202.0/25 35.213.203.195 35.213.204.32/27 35.213.205.170 35.213.207.128/25 35.213.208.85 35.213.210.0/24 35.213.211.176/29 35.213.212.0/24 35.213.213.225 35.213.214.0/25 35.213.215.255 35.213.217.0/24 35.213.218.248 35.213.219.0/25 35.213.220.211 35.213.221.0/24 35.213.222.215 35.213.223.0/24 35.213.225.0/24 35.213.227.227 35.213.229.17 35.213.230.89 35.213.231.0/24 35.213.233.0/24 35.213.234.134 35.213.236.0/24 35.213.237.212 35.213.238.0/24 35.213.240.212 35.213.241.0/24 35.213.242.10 35.213.243.219 35.213.244.146 35.213.245.119 35.213.246.0/23 35.213.249.79 35.213.250.0/24 35.213.251.74 35.213.252.0/24 35.213.253.155 35.213.254.89 35.214.128.248 35.214.129.220 35.214.130.217 35.214.131.144 35.214.132.189 35.214.133.0/24 35.214.134.163 35.214.137.0/24 35.214.138.0/25 35.214.140.0/24 35.214.142.0/24 35.214.143.41 35.214.144.26 35.214.145.200 35.214.146.9 35.214.147.135 35.214.148.89 35.214.149.110 35.214.151.128/25 35.214.152.0/24 35.214.156.115 35.214.158.181 35.214.159.128/25 35.214.160.128/25 35.214.161.217 35.214.162.0/24 35.214.163.28 35.214.165.102 35.214.167.77 35.214.169.0/24 35.214.170.2 35.214.171.0/25 35.214.172.128/25 35.214.173.0/24 35.214.175.0/24 35.214.177.183 35.214.179.46 35.214.180.0/23 35.214.184.179 35.214.185.28 35.214.186.3 35.214.187.0/24 35.214.191.0/24 35.214.192.128/25 35.214.193.0/24 35.214.194.128/25 35.214.195.0/25 35.214.196.64/26 35.214.197.0/24 35.214.198.7 35.214.199.224 35.214.201.0/25 35.214.203.155 35.214.204.0/23 35.214.207.0/24 35.214.208.128/25 35.214.209.64 35.214.210.0/24 35.214.211.3 35.214.212.64/26 35.214.213.0/25 35.214.214.0/24 35.214.215.64/26 35.214.216.0/23 35.214.218.140 35.214.219.0/24 35.214.220.149 35.214.221.0/24 35.214.222.149 35.214.223.0/24 35.214.224.71 35.214.225.0/24 35.214.226.0/23 35.214.228.0/23 35.214.231.187 35.214.233.8 35.214.235.38 35.214.237.0/24 35.214.238.0/25 35.214.239.0/24 35.214.240.87 35.214.241.0/24 35.214.243.21 35.214.244.0/24 35.214.245.16/28 35.214.246.106 35.214.248.119 35.214.249.154 35.214.250.0/24 35.214.251.128/25 35.214.252.187 35.214.253.0/24 35.214.255.154 35.215.72.85 35.215.73.65 35.215.83.0 35.215.108.111 35.215.115.120 35.215.126.35 35.215.127.34 35.215.128.0/21 35.215.136.0/26 35.215.137.0/24 35.215.138.0/23 35.215.140.0/24 35.215.141.64/27 35.215.142.0/24 35.215.143.83 35.215.144.128/25 35.215.145.0/24 35.215.146.0/24 35.215.147.86 35.215.148.0/23 35.215.150.0/26 35.215.151.0/24 35.215.152.0/24 35.215.153.128/25 35.215.154.240/28 35.215.155.20 35.215.156.0/24 35.215.158.0/23 35.215.160.192/26 35.215.161.0/24 35.215.163.0/24 35.215.164.0/24 35.215.165.236 35.215.166.128/25 35.215.167.128/25 35.215.168.0/24 35.215.169.12 35.215.170.0/23 35.215.172.0/22 35.215.176.0/24 35.215.177.72 35.215.178.0/24 35.215.179.161 35.215.180.0/22 35.215.184.253 35.215.185.64/26 35.215.186.0/25 35.215.187.0/24 35.215.188.0/23 35.215.190.0/24 35.215.191.61 35.215.192.0/23 35.215.194.192/28 35.215.195.0/24 35.215.196.0/25 35.215.197.0/25 35.215.198.230 35.215.199.204 35.215.200.0/23 35.215.202.0/24 35.215.203.0/25 35.215.204.128/25 35.215.205.0/25 35.215.206.0/23 35.215.208.0/24 35.215.209.0/25 35.215.210.0/23 35.215.212.0/22 35.215.216.0/22 35.215.221.0/24 35.215.222.128/25 35.215.223.126 35.215.224.0/23 35.215.226.0/24 35.215.227.0/25 35.215.228.0/24 35.215.229.64 35.215.230.89 35.215.231.0/24 35.215.232.0/24 35.215.233.0/25 35.215.234.37 35.215.235.0/24 35.215.238.0/25 35.215.239.119 35.215.240.0/24 35.215.241.128/25 35.215.242.0/25 35.215.243.0/24 35.215.244.0/23 35.215.246.222 35.215.247.0/24 35.215.248.0/22 35.215.252.0/24 35.215.253.118 35.215.254.0/23 35.217.0.0/24 35.217.1.64/26 35.217.2.5 35.217.3.0/24 35.217.4.72 35.217.5.0/25 35.217.6.0/24 35.217.8.0/25 35.217.9.0/24 35.217.11.186 35.217.12.0/24 35.217.14.192/26 35.217.15.65 35.217.16.75 35.217.17.128/25 35.217.18.0/24 35.217.19.183 35.217.20.0/24 35.217.21.128/25 35.217.22.128/25 35.217.23.128/25 35.217.24.0/24 35.217.25.81 35.217.26.0/24 35.217.27.128/25 35.217.28.128/25 35.217.29.0/24 35.217.30.0/25 35.217.31.0/25 35.217.32.128/25 35.217.33.0/24 35.217.35.128/25 35.217.36.0/23 35.217.38.179 35.217.39.186 35.217.40.176 35.217.41.204 35.217.43.0/24 35.217.45.248 35.217.46.0/24 35.217.47.128/25 35.217.48.195 35.217.49.160/27 35.217.50.0/25 35.217.51.0/24 35.217.52.117 35.217.53.128/25 35.217.54.0/25 35.217.55.96/27 35.217.56.6 35.217.57.184 35.217.58.0/24 35.217.59.64/26 35.217.60.0/24 35.217.61.128/25 35.217.62.0/24 35.217.63.128/25 35.219.225.149 35.219.226.57 35.219.227.0/24 35.219.228.37 35.219.229.128/25 35.219.230.0/23 35.219.235.0/24 35.219.236.198 35.219.238.115 35.219.239.0/24 35.219.241.0/24 35.219.242.221 35.219.243.191 35.219.244.1 35.219.245.0/24 35.219.246.159 35.219.247.0/26 35.219.248.0/24 35.219.249.126 35.219.251.186 35.219.252.0/23 35.219.254.0/24 64.233.161.207 64.233.162.207 64.233.163.207 64.233.164.207 64.233.165.207 66.22.196.0/26 66.22.197.0/24 66.22.198.0/26 66.22.199.0/24 66.22.200.0/26 66.22.202.0/26 66.22.204.0/24 66.22.206.0/24 66.22.208.0/25 66.22.210.0/26 66.22.212.0/24 66.22.214.0/24 66.22.216.0/23 66.22.220.0/25 66.22.221.0/24 66.22.222.0/23 66.22.224.0/25 66.22.225.0/26 66.22.226.0/25 66.22.227.0/25 66.22.228.0/22 66.22.233.0/24 66.22.234.0/24 66.22.236.0/23 66.22.238.0/24 66.22.240.0/22 66.22.244.0/23 66.22.248.0/24 74.125.131.207 74.125.205.207 104.17.51.93 104.17.117.93 104.18.4.161 104.18.5.161 104.18.8.105 104.18.9.105 104.18.30.128 104.18.31.128 104.21.2.204 104.21.25.51 104.21.40.151 104.21.59.128 104.21.72.221 104.21.82.160 108.177.14.207 138.128.140.240/28 142.250.150.207 142.251.1.207 162.159.128.232/30 162.159.129.232/30 162.159.130.232/30 162.159.133.232/30 162.159.134.232/30 162.159.135.232/30 162.159.136.232/30 162.159.137.232/30 162.159.138.232/30 172.65.202.19 172.66.41.34 172.66.42.222 172.67.152.224/28 172.67.155.163 172.67.159.89 172.67.177.131 172.67.222.182 173.194.73.207 173.194.220.207 173.194.221.207 173.194.222.207 188.114.96.2 188.114.97.2 188.114.98.224 188.114.99.224 204.11.56.48 209.85.233.207}" -DNUM=105 -QNUM_DISCORD=$(($DNUM * 5)) +alloc_dnum DNUM_DISCORD +alloc_qnum QNUM_DISCORD DISCORD_SET_NAME=discord zapret_custom_daemons() @@ -15,7 +15,7 @@ zapret_custom_daemons() # $1 - 1 - run, 0 - stop local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" - do_nfqws $1 $DNUM "$opt" + do_nfqws $1 $DNUM_DISCORD "$opt" } zapret_custom_firewall() @@ -43,7 +43,7 @@ zapret_custom_firewall() fw_nfqws_post $1 "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD [ "$1" = 1 ] || { - ipset destroy $DISCORD_SET_NAME + ipset destroy $DISCORD_SET_NAME 2>/dev/null } } diff --git a/init.d/sysv/custom.d.examples/50-quic4all b/init.d/sysv/custom.d.examples/50-quic4all index 5f4b593..efd9031 100644 --- a/init.d/sysv/custom.d.examples/50-quic4all +++ b/init.d/sysv/custom.d.examples/50-quic4all @@ -2,15 +2,15 @@ # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -DNUM=102 -QNUM2=$(($DNUM * 5)) +alloc_dnum DNUM_QUIC4ALL +alloc_qnum QNUM_QUIC4ALL zapret_custom_daemons() { # $1 - 1 - run, 0 - stop - local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - do_nfqws $1 $DNUM "$opt" + local opt="--qnum=$QNUM_QUIC4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + do_nfqws $1 $DNUM_QUIC4ALL "$opt" } zapret_custom_firewall() { @@ -21,7 +21,7 @@ zapret_custom_firewall() local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" f="-p udp -m multiport --dports $QUIC_PORTS_IPT" - fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM_QUIC4ALL } zapret_custom_firewall_nft() @@ -33,5 +33,5 @@ zapret_custom_firewall_nft() local desync="mark and $DESYNC_MARK == 0" f="udp dport {$QUIC_PORTS}" - nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 + nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM_QUIC4ALL } diff --git a/init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https b/init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https deleted file mode 100644 index 95042c0..0000000 --- a/init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https +++ /dev/null @@ -1,71 +0,0 @@ -# this custom script demonstrates how to apply tpws to http and nfqws to https -# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - local opt - - [ "$MODE_HTTP" = "1" ] && { - opt="--port=$TPPORT $TPWS_OPT" - filter_apply_hostlist_target opt - filter_apply_suffix opt "$TPWS_OPT_SUFFIX" - do_tpws $1 1 "$opt" - } - - [ "$MODE_HTTPS" = "1" ] && { - opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS" - filter_apply_hostlist_target opt - filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX" - do_nfqws $1 2 "$opt" - } -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local f4 f6 - local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)" - local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - - [ "$MODE_HTTP" = "1" ] && { - f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $TPPORT - } - - [ "$MODE_HTTPS" = "1" ] && { - f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM - # for modes that require incoming traffic - fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM - } -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local f4 f6 - local first_packet_only="$nft_connbytes 1-$(first_packets_for_mode)" - local desync="mark and $DESYNC_MARK == 0" - - [ "$MODE_HTTP" = "1" ] && { - f4="tcp dport {$HTTP_PORTS}" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $TPPORT - } - - [ "$MODE_HTTPS" = "1" ] && { - f4="tcp dport {$HTTPS_PORTS} $first_packet_only" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM - # for modes that require incoming traffic - nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM - } -}