From 8385394fd6447f9be275b43b931625e6dc4e72f6 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Thu, 14 Mar 2024 18:04:37 +0300
Subject: [PATCH] bsd: use not diverted filter for incoming traffic also

---
 blockcheck.sh   | 2 +-
 docs/bsd.eng.md | 4 ++--
 docs/bsd.txt    | 4 ++--
 docs/bsdfw.txt  | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/blockcheck.sh b/blockcheck.sh
index 4d7ab98..e11050c 100755
--- a/blockcheck.sh
+++ b/blockcheck.sh
@@ -515,7 +515,7 @@ pktws_ipt_prepare()
 
 			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${IPV} out not diverted not sockarg
 			# for autottl mode
-			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in
+			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg
 			;;
 		opf)
 			opf_prepare_dvtws $1
diff --git a/docs/bsd.eng.md b/docs/bsd.eng.md
index 7279d08..d71aad2 100644
--- a/docs/bsd.eng.md
+++ b/docs/bsd.eng.md
@@ -156,7 +156,7 @@ For all traffic:
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
-ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
 ```
 
@@ -166,7 +166,7 @@ ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
-ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
+ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
 ```
 
diff --git a/docs/bsd.txt b/docs/bsd.txt
index b8a7b96..2a26484 100644
--- a/docs/bsd.txt
+++ b/docs/bsd.txt
@@ -124,7 +124,7 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
-ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
 /opt/zapret/nfq/dvtws --port=989 ---dpi-desync=split2
 
 Для трафика только на таблицу zapret, за исключением таблицы nozapret :
@@ -132,7 +132,7 @@ ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
-ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
+ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
 
 Недопущение зацикливания - повторного вхождения фейк пакетов на обработку.
diff --git a/docs/bsdfw.txt b/docs/bsdfw.txt
index 2e93c01..9031724 100644
--- a/docs/bsdfw.txt
+++ b/docs/bsdfw.txt
@@ -28,7 +28,7 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
 ; required for autottl mode
-ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
 ; udp
 ipfw add 100 divert 989 udp from any to any 443 out not diverted not sockarg xmit em0