From b54f856c819783b62b6e060703b1bedd29550856 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 11 Mar 2024 19:00:22 +0300 Subject: [PATCH] blockcheck: partial OpenBSD support --- blockcheck.sh | 129 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 118 insertions(+), 11 deletions(-) diff --git a/blockcheck.sh b/blockcheck.sh index 3d70394..bda4eb8 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -38,6 +38,8 @@ DNSCHECK_DIG1=/tmp/dig1.txt DNSCHECK_DIG2=/tmp/dig2.txt DNSCHECK_DIGS=/tmp/digs.txt +unset PF_STATUS +PF_RULES_SAVE=/tmp/pf-zapret-save.conf killwait() { @@ -58,6 +60,65 @@ exitp() exit $1 } +pf_is_avail() +{ + [ -c /dev/pf ] +} +pf_status() +{ + pfctl -qsi | sed -nre "s/^Status: ([^ ]+).*$/\1/p" +} +pf_is_enabled() +{ + [ "$(pf_status)" = Enabled ] +} +pf_save() +{ + PF_STATUS=0 + pf_is_enabled && PF_STATUS=1 + pfctl -sr >"$PF_RULES_SAVE" +} +pf_restore() +{ + [ -n "$PF_STATUS" ] || return + if [ -f "$PF_RULES_SAVE" ]; then + pfctl -qf "$PF_RULES_SAVE" + else + echo | pfctl -qf - + fi + if [ "$PF_STATUS" = 1 ]; then + pfctl -qe + else + pfctl -qd + fi +} +pf_clean() +{ + rm -f "$PF_RULES_SAVE" +} +opf_dvtws_anchor() +{ + echo "set reassemble no" + echo "pass in quick proto tcp from port {80,443} flags SA/SA divert-packet port $IPFW_DIVERT_PORT no state" + echo "pass in quick proto tcp from port {80,443} no state" + echo "pass out quick proto tcp to port {80,443} divert-packet port $IPFW_DIVERT_PORT no state" + echo "pass" +} +opf_prepare_dvtws() +{ + opf_dvtws_anchor | pfctl -qf - + pfctl -qe +} + +cleanup() +{ + case "$UNAME" in + OpenBSD) + pf_clean + ;; + esac +} + IPT() { $IPTABLES -C "$@" >/dev/null 2>/dev/null || $IPTABLES -I "$@" @@ -127,6 +188,11 @@ check_system() FWTYPE=ipfw [ -f /etc/platform ] && read SUBSYS /dev/null & ;; - FreeBSD) + FreeBSD|OpenBSD) "$DVTWS" --port=$IPFW_DIVERT_PORT "$@" >/dev/null & ;; esac @@ -642,7 +727,9 @@ pktws_check_domain_bypass() test_has_split $desync && pktws_curl_test_update $1 $3 $s --dpi-desync-split-pos=1 --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e } done - f="badsum badseq md5sig datanoack" + f= + [ "$UNAME" = "OpenBSD" ] || f="badsum" + f="$f badseq md5sig datanoack" [ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2" for fooling in $f; do pktws_curl_test_update $1 $3 $s --dpi-desync-fooling=$fooling $e && warn_fool $fooling @@ -661,15 +748,18 @@ pktws_check_domain_bypass() [ "$sec" = 1 ] || break done - [ "$IPV" = 4 -o -n "$IP6_DEFRAG_DISABLE" ] && { - for frag in 24 32 40 64 80 104; do - tests="ipfrag2" - [ "$IPV" = 6 ] && tests="$tests hopbyhop,ipfrag2 destopt,ipfrag2" - for desync in $tests; do - pktws_curl_test_update $1 $3 --dpi-desync=$desync --dpi-desync-ipfrag-pos-tcp=$frag + # OpenBSD has checksum issues with fragmented packets + if [ "$UNAME" != "OpenBSD" ]; then + [ "$IPV" = 4 -o -n "$IP6_DEFRAG_DISABLE" ] && { + for frag in 24 32 40 64 80 104; do + tests="ipfrag2" + [ "$IPV" = 6 ] && tests="$tests hopbyhop,ipfrag2 destopt,ipfrag2" + for desync in $tests; do + pktws_curl_test_update $1 $3 --dpi-desync=$desync --dpi-desync-ipfrag-pos-tcp=$frag + done done - done - } + } + fi report_strategy $1 $3 $PKTWSD } @@ -928,7 +1018,14 @@ ask_params() pingtest() { - ping -c 1 -W 1 $1 >/dev/null + case "$UNAME" in + OpenBSD) + ping -c 1 -w 1 $1 >/dev/null + ;; + *) + ping -c 1 -W 1 $1 >/dev/null + ;; + esac } dnstest() { @@ -1048,6 +1145,7 @@ unprepare_all() pktws_ipt_unprepare 443 } ws_kill + cleanup } sigint() { @@ -1056,6 +1154,11 @@ sigint() unprepare_all exitp 1 } +sigint_cleanup() +{ + cleanup + exit 1 +} sigpipe() { # must not write anything here to stdout @@ -1068,9 +1171,11 @@ fix_sbin_path check_system require_root check_prerequisites +trap sigint_cleanup INT check_dns check_virt ask_params +trap - INT PID= NREPORT= @@ -1087,6 +1192,8 @@ done trap - PIPE trap - INT +cleanup + echo echo \* SUMMARY report_print