From e2a5f6bb21f6b2f566baad04f11b2bd48b182a79 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 30 May 2022 09:27:30 +0300 Subject: [PATCH] complex TSPU hack is overkill --- ...qws-quic4all-tspu => custom-nfqws-quic4all-complex} | 6 +++--- ...qws-quic4all-tspu => custom-nfqws-quic4all-complex} | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) rename init.d/openwrt/{custom-nfqws-quic4all-tspu => custom-nfqws-quic4all-complex} (90%) rename init.d/sysv/{custom-nfqws-quic4all-tspu => custom-nfqws-quic4all-complex} (87%) diff --git a/init.d/openwrt/custom-nfqws-quic4all-tspu b/init.d/openwrt/custom-nfqws-quic4all-complex similarity index 90% rename from init.d/openwrt/custom-nfqws-quic4all-tspu rename to init.d/openwrt/custom-nfqws-quic4all-complex index 0aeba80..030a7a7 100644 --- a/init.d/openwrt/custom-nfqws-quic4all-tspu +++ b/init.d/openwrt/custom-nfqws-quic4all-complex @@ -1,11 +1,11 @@ # this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering -# and also sends special fake on outgoing packets with short header and udp.length>=600 +# and also sends special fake on the first outgoing packet with short header and udp.length>600 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # need to add to config : NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER="--dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-unknown-udp=/opt/zapret/files/fake/quic_short_header.bin --dpi-desync-cutoff=n2" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -# this hack is for russian TSPU QUIC blocking -# without additional short header fake connections randomly hang +# this hack was first intended for TSPU but it appeared that it's overkill +# it's enough to send short header fake before initial QNUM2=$(($QNUM+10)) QNUM3=$(($QNUM+11)) diff --git a/init.d/sysv/custom-nfqws-quic4all-tspu b/init.d/sysv/custom-nfqws-quic4all-complex similarity index 87% rename from init.d/sysv/custom-nfqws-quic4all-tspu rename to init.d/sysv/custom-nfqws-quic4all-complex index 8a29eb2..3173494 100644 --- a/init.d/sysv/custom-nfqws-quic4all-tspu +++ b/init.d/sysv/custom-nfqws-quic4all-complex @@ -1,11 +1,11 @@ # this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering -# and also sends special fake on outgoing packets with short header and udp.length>=600 +# and also sends special fake on the first outgoing packet with short header and udp.length>600 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # need to add to config : NFQWS_OPT_DESYNC_QUIC_SHORT_HEADER="--dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-fake-unknown-udp=/opt/zapret/files/fake/quic_short_header.bin --dpi-desync-cutoff=n2" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -# this hack is for russian TSPU QUIC blocking -# without additional short header fake connections randomly hang +# this hack was first intended for TSPU but it appeared that it's overkill +# it's enough to send short header fake before initial QNUM2=$(($QNUM+10)) QNUM3=$(($QNUM+11)) @@ -33,7 +33,7 @@ zapret_custom_firewall() local f local first_packets_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:3" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - local udplen="-m length --length 600:1500" + local udplen="-m length --length 601:1500" local short_header4="-m u32 --u32 0>>22&0x3C@8>>24&0xC0=0x40" zapret_do_firewall_rules_ipt $1 @@ -52,7 +52,7 @@ zapret_custom_firewall_nft() local f local first_packets_only="ct original packets 1-3" local desync="mark and $DESYNC_MARK == 0" - local udplen="udp length 600-1500" + local udplen="udp length 601-1500" local short_header4="@th,64,2 1" zapret_apply_firewall_rules_nft