drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-26 12:10:53 +03:00
Code Issues Packages Projects Releases Wiki Activity

readme.eng update

Browse Source
This commit is contained in:
bol-van 2024-05-14 10:00:05 +03:00
parent 5304a82dcd
commit b41b8994bf
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/readme.eng.md
View File

@ -7,7 +7,7 @@ The project is mainly aimed at the Russian audience to fight russian regulator n
Some features of the project are russian reality specific (such as getting list of sites
blocked by Roskomnadzor), but most others are common.
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, partially MacOS.
Mainly OpenWRT targeted but also supports traditional Linux, FreeBSD, OpenBSD, Windows, partially MacOS.
Most features are also supported in Windows.
@ -386,9 +386,7 @@ Set up bridge networking.
### CONNTRACK
nfqws is equipped with minimalistic connection tracking system (conntrack)
It's enabled if some specific DPI circumvention methods are involved.
Currently these are `--wssize` and `--dpi-desync-cutoff` options.
It's used if some specific DPI circumvention methods are involved and helps to reassemble multi-packet requests.
Conntrack can track connection phase : SYN,ESTABLISHED,FIN , packet counts in both directions , sequence numbers.
@ -462,8 +460,8 @@ Set conntrack timeouts appropriately.
### Reassemble
nfqws supports reassemble of TLS and QUIC ClientHello.
They can consist of multiple packets if kyber crypto is used (default from chromium 124).
Chromium randomizes TLS fingerprint. SNI can be in any packet.
They can consist of multiple packets if kyber crypto is used (default starting from chromium 124).
Chromium randomizes TLS fingerprint. SNI can be in any packet or in-between.
Stateful DPIs usually reassemble all packets in the request then apply block decision.
If nfqws receives a partial ClientHello it begins reassemble session. Packets are delayed until it's finished.
Then the first packet goes through desync using fully reassembled message. Other packets are sent
@ -491,10 +489,14 @@ By default fake payload is 64 zeroes. Can be overriden using `--dpi-desync-fake-
### IP fragmentation
Modern network is very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled on the way.
Modern network can be very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled on the way.
Frag position is set independently for tcp and udp. By default 24 and 8, must be multiple of 8.
Offset starts from the transport header.
tcp fragments are almost always filtered. It's absolutely not suitable for arbitrary websites.
udp fragments have good chances to survive but not everywhere. It's good to assume success rate on QUIC between 50..75%.
Likely more with your VPS. Sometimes filtered by DDoS protection.
There are important nuances when working with fragments in Linux.
ipv4 : Linux allows to send ipv4 fragments but standard firewall rules in OUTPUT chain can cause raw send to fail.