From d3f540a62b28addd63ff2b278d5c33fb614209d2 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 12 Oct 2024 21:55:18 +0300 Subject: [PATCH] docs/nftables.txt : add mark filter --- docs/nftables.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/nftables.txt b/docs/nftables.txt index 4acbb59..ae76105 100644 --- a/docs/nftables.txt +++ b/docs/nftables.txt @@ -19,8 +19,8 @@ For dpi desync attack : nft delete table inet ztest nft create table inet ztest nft add chain inet ztest post "{type filter hook postrouting priority mangle;}" -nft add rule inet ztest post tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass -nft add rule inet ztest post udp dport 443 ct original packets 1-4 queue num 200 bypass +nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass +nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-4 queue num 200 bypass # auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1