From e8012ee67f3459b6bc49c0ebea094524719d6029 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 12 Oct 2024 12:33:06 +0300 Subject: [PATCH] init.d: multiple customs --- common/custom.sh | 25 +++++++ common/ipt.sh | 2 +- common/nft.sh | 2 +- common/pf.sh | 37 +++++++--- .../macos/custom.d.examples/10-inherit-tpws | 18 +++++ .../custom.d.examples/10-inherit-tpws-socks | 18 +++++ .../50-extra-tpws} | 16 +++-- init.d/macos/custom.d/.keep | 0 init.d/macos/custom.default | 21 ------ init.d/macos/functions | 4 +- init.d/openwrt/custom-reuse-builtin-mode | 47 ------------- .../custom.d.examples/10-inherit-nfqws | 22 ++++++ .../openwrt/custom.d.examples/10-inherit-tpws | 22 ++++++ .../custom.d.examples/10-inherit-tpws-socks | 22 ++++++ .../custom.d.examples/50-dht4all} | 20 ++---- init.d/openwrt/custom.d.examples/50-discord | 69 +++++++++++++++++++ .../custom.d.examples/50-quic4all} | 20 ++---- .../50-tpws4http-nfqws4https} | 6 +- init.d/openwrt/custom.d/.keep | 0 init.d/openwrt/custom.default | 33 --------- init.d/openwrt/functions | 5 +- init.d/openwrt/zapret | 2 +- init.d/sysv/custom-reuse-builtin-mode | 47 ------------- .../sysv/custom.d.examples/10-inherit-nfqws | 22 ++++++ init.d/sysv/custom.d.examples/10-inherit-tpws | 22 ++++++ .../custom.d.examples/10-inherit-tpws-socks | 22 ++++++ .../custom.d.examples/50-dht4all} | 22 ++---- init.d/sysv/custom.d.examples/50-discord | 69 +++++++++++++++++++ .../custom.d.examples/50-quic4all} | 22 ++---- .../50-tpws4http-nfqws4https} | 0 init.d/sysv/custom.d/.keep | 0 init.d/sysv/custom.default | 34 --------- init.d/sysv/functions | 7 +- install_easy.sh | 30 +++++++- 34 files changed, 436 insertions(+), 272 deletions(-) create mode 100644 common/custom.sh create mode 100644 init.d/macos/custom.d.examples/10-inherit-tpws create mode 100644 init.d/macos/custom.d.examples/10-inherit-tpws-socks rename init.d/macos/{custom-tpws => custom.d.examples/50-extra-tpws} (53%) create mode 100644 init.d/macos/custom.d/.keep delete mode 100644 init.d/macos/custom.default delete mode 100644 init.d/openwrt/custom-reuse-builtin-mode create mode 100644 init.d/openwrt/custom.d.examples/10-inherit-nfqws create mode 100644 init.d/openwrt/custom.d.examples/10-inherit-tpws create mode 100644 init.d/openwrt/custom.d.examples/10-inherit-tpws-socks rename init.d/{sysv/custom-nfqws-dht4all => openwrt/custom.d.examples/50-dht4all} (65%) create mode 100644 init.d/openwrt/custom.d.examples/50-discord rename init.d/{sysv/custom-nfqws-quic4all => openwrt/custom.d.examples/50-quic4all} (66%) rename init.d/openwrt/{custom-tpws4http-nfqws4https => custom.d.examples/50-tpws4http-nfqws4https} (91%) create mode 100644 init.d/openwrt/custom.d/.keep delete mode 100644 init.d/openwrt/custom.default delete mode 100644 init.d/sysv/custom-reuse-builtin-mode create mode 100644 init.d/sysv/custom.d.examples/10-inherit-nfqws create mode 100644 init.d/sysv/custom.d.examples/10-inherit-tpws create mode 100644 init.d/sysv/custom.d.examples/10-inherit-tpws-socks rename init.d/{openwrt/custom-nfqws-dht4all => sysv/custom.d.examples/50-dht4all} (65%) create mode 100644 init.d/sysv/custom.d.examples/50-discord rename init.d/{openwrt/custom-nfqws-quic4all => sysv/custom.d.examples/50-quic4all} (64%) rename init.d/sysv/{custom-tpws4http-nfqws4https => custom.d.examples/50-tpws4http-nfqws4https} (100%) create mode 100644 init.d/sysv/custom.d/.keep delete mode 100644 init.d/sysv/custom.default diff --git a/common/custom.sh b/common/custom.sh new file mode 100644 index 0000000..40b65a7 --- /dev/null +++ b/common/custom.sh @@ -0,0 +1,25 @@ +custom_runner() +{ + # $1 - function name + # $2+ - params + + local n script FUNC=$1 + + shift + + [ -f "$CUSTOM_DIR/custom" ] && { + unset -f $FUNC + . "$CUSTOM_DIR/custom" + existf $FUNC && $FUNC "$@" + } + [ -d "$CUSTOM_DIR/custom.d" ] && { + n=$(ls "$CUSTOM_DIR/custom.d" | wc -c | xargs) + [ "$n" = 0 ] || { + for script in "$CUSTOM_DIR/custom.d/"*; do + unset -f $FUNC + . "$script" + existf $FUNC && $FUNC "$@" + done + } + } +} diff --git a/common/ipt.sh b/common/ipt.sh index ec5af86..c134d82 100644 --- a/common/ipt.sh +++ b/common/ipt.sh @@ -437,7 +437,7 @@ zapret_do_firewall_rules_ipt() fi ;; custom) - existf zapret_custom_firewall && zapret_custom_firewall $1 + custom_runner zapret_custom_firewall $1 ;; esac } diff --git a/common/nft.sh b/common/nft.sh index aed2512..4465676 100644 --- a/common/nft.sh +++ b/common/nft.sh @@ -705,7 +705,7 @@ zapret_apply_firewall_rules_nft() POSTNAT=$POSTNAT_SAVE ;; custom) - existf zapret_custom_firewall_nft && zapret_custom_firewall_nft + custom_runner zapret_custom_firewall_nft ;; esac } diff --git a/common/pf.sh b/common/pf.sh index a6fa57c..4516a00 100644 --- a/common/pf.sh +++ b/common/pf.sh @@ -106,6 +106,11 @@ pf_anchor_zapret_tables() eval $tblv="\"\$_tbl\"" } +pf_nat_reorder_rules() +{ + # this is dirty hack to move rdr above route-to and remove route-to dups + sort -rfu +} pf_anchor_port_target() { if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then @@ -119,9 +124,17 @@ pf_anchor_port_target() pf_anchor_zapret_v4_tpws() { - # $1 - port + # $1 - tpws listen port + # $2 - rdr ports. defaults are used if empty + + local rule port + + if [ -n "$2" ]; then + port="{$2}" + else + port=$(pf_anchor_port_target) + fi - local rule port=$(pf_anchor_port_target) for lan in $IFACE_LAN; do for t in $tbl; do echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" @@ -144,7 +157,7 @@ pf_anchor_zapret_v4() { local tbl port [ "$DISABLE_IPV4" = "1" ] || { - case $MODE in + case "${MODE_OVERRIDE:-$MODE}" in tpws) [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" @@ -152,16 +165,24 @@ pf_anchor_zapret_v4() ;; custom) pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" - existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4 + custom_runner zapret_custom_firewall_v4 | pf_nat_reorder_rules ;; esac } } pf_anchor_zapret_v6_tpws() { - # $1 - port + # $1 - tpws listen port + # $2 - rdr ports. defaults are used if empty + + local rule LL_LAN port + + if [ -n "$2" ]; then + port="{$2}" + else + port=$(pf_anchor_port_target) + fi - local LL_LAN rule port=$(pf_anchor_port_target) # LAN link local is only for router for lan in $IFACE_LAN; do LL_LAN=$(get_ipv6_linklocal $lan) @@ -188,7 +209,7 @@ pf_anchor_zapret_v6() local tbl port [ "$DISABLE_IPV6" = "1" ] || { - case $MODE in + case "${MODE_OVERRIDE:-$MODE}" in tpws) [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" @@ -196,7 +217,7 @@ pf_anchor_zapret_v6() ;; custom) pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" - existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6 + custom_runner zapret_custom_firewall_v6 | pf_nat_reorder_rules ;; esac } diff --git a/init.d/macos/custom.d.examples/10-inherit-tpws b/init.d/macos/custom.d.examples/10-inherit-tpws new file mode 100644 index 0000000..a4c08c5 --- /dev/null +++ b/init.d/macos/custom.d.examples/10-inherit-tpws @@ -0,0 +1,18 @@ +# this custom script applies tpws mode as it would be with MODE=tpws + +OVERRIDE=tpws + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1 +} +zapret_custom_firewall_v4() +{ + MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4 +} +zapret_custom_firewall_v6() +{ + MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6 +} diff --git a/init.d/macos/custom.d.examples/10-inherit-tpws-socks b/init.d/macos/custom.d.examples/10-inherit-tpws-socks new file mode 100644 index 0000000..bdcda12 --- /dev/null +++ b/init.d/macos/custom.d.examples/10-inherit-tpws-socks @@ -0,0 +1,18 @@ +# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks + +OVERRIDE=tpws-socks + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1 +} +zapret_custom_firewall_v4() +{ + MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4 +} +zapret_custom_firewall_v6() +{ + MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6 +} diff --git a/init.d/macos/custom-tpws b/init.d/macos/custom.d.examples/50-extra-tpws similarity index 53% rename from init.d/macos/custom-tpws rename to init.d/macos/custom.d.examples/50-extra-tpws index 1f99a0e..dfe6d10 100644 --- a/init.d/macos/custom-tpws +++ b/init.d/macos/custom.d.examples/50-extra-tpws @@ -1,16 +1,20 @@ # this script is an example describing how to run tpws on a custom port -TPPORT_MY=987 +DNUM=100 +TPPORT_MY=${TPPORT_MY:-987} +TPWS_OPT_MY=${TPWS_OPT_MY:-987} +TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}" +DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009} zapret_custom_daemons() { # $1 - 1 - run, 0 - stop local opt="--user=root --port=$TPPORT_MY" tpws_apply_binds opt - opt="$opt $TPWS_OPT" + opt="$opt $TPWS_OPT_MY" filter_apply_hostlist_target opt - filter_apply_suffix opt "$TPWS_OPT_SUFFIX" - do_daemon $1 1 "$TPWS" "$opt" + filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY" + do_daemon $1 $DNUM "$TPWS" "$opt" } # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors @@ -18,9 +22,9 @@ zapret_custom_daemons() zapret_custom_firewall_v4() { - pf_anchor_zapret_v4_tpws $TPPORT_MY + pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY) } zapret_custom_firewall_v6() { - pf_anchor_zapret_v6_tpws $TPPORT_MY + pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY) } diff --git a/init.d/macos/custom.d/.keep b/init.d/macos/custom.d/.keep new file mode 100644 index 0000000..e69de29 diff --git a/init.d/macos/custom.default b/init.d/macos/custom.default deleted file mode 100644 index e00e1c8..0000000 --- a/init.d/macos/custom.default +++ /dev/null @@ -1,21 +0,0 @@ -# this script contain your special code to launch daemons and configure firewall -# use helpers from "functions" file -# in case of upgrade keep this file only, do not modify others - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - : -} - -# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors -# they come after automated table definitions. so you can use ... - -zapret_custom_firewall_v4() -{ - : -} -zapret_custom_firewall_v6() -{ - : -} diff --git a/init.d/macos/functions b/init.d/macos/functions index 4fb826f..d004dc2 100644 --- a/init.d/macos/functions +++ b/init.d/macos/functions @@ -7,6 +7,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/base.sh" . "$ZAPRET_BASE/common/pf.sh" . "$ZAPRET_BASE/common/list.sh" +. "$ZAPRET_BASE/common/custom.sh" +CUSTOM_DIR="$ZAPRET_RW/init.d/macos" IPSET_DIR=$ZAPRET_BASE/ipset . "$IPSET_DIR/def.sh" @@ -184,7 +186,7 @@ zapret_do_daemons() filter) ;; custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 + custom_runner zapret_custom_daemons $1 ;; *) echo "unsupported MODE=$MODE" diff --git a/init.d/openwrt/custom-reuse-builtin-mode b/init.d/openwrt/custom-reuse-builtin-mode deleted file mode 100644 index 39c16e8..0000000 --- a/init.d/openwrt/custom-reuse-builtin-mode +++ /dev/null @@ -1,47 +0,0 @@ -# this custom script demonstrates how to reuse built-in modes and add something from yourself - -MY_TPPORT=$(($TPPORT + 1)) -MY_TPWS_OPT="--methodeol --hostcase" -MY_DPORT=81 - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - local MODE_OVERRIDE=tpws - local opt - - start_daemons_procd - - opt="--port=$MY_TPPORT $MY_TPWS_OPT" - filter_apply_hostlist_target opt - run_tpws 100 "$opt" -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=tpws - local f4 f6 - - zapret_do_firewall_rules_ipt $1 - - f4="-p tcp --dport $MY_DPORT" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $MY_TPPORT -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local MODE_OVERRIDE=tpws - local f4 f6 - - zapret_apply_firewall_rules_nft - - f4="tcp dport $MY_DPORT" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $MY_TPPORT -} diff --git a/init.d/openwrt/custom.d.examples/10-inherit-nfqws b/init.d/openwrt/custom.d.examples/10-inherit-nfqws new file mode 100644 index 0000000..b156402 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/10-inherit-nfqws @@ -0,0 +1,22 @@ +# this custom script applies nfqws mode as it would be with MODE=nfqws + +OVERRIDE=nfqws + +zapret_custom_daemons() +{ + # stop logic is managed by procd + + MODE_OVERRIDE=$OVERRIDE start_daemons_procd +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/openwrt/custom.d.examples/10-inherit-tpws b/init.d/openwrt/custom.d.examples/10-inherit-tpws new file mode 100644 index 0000000..ae2bdf9 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/10-inherit-tpws @@ -0,0 +1,22 @@ +# this custom script applies tpws mode as it would be with MODE=tpws + +OVERRIDE=tpws + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE start_daemons_procd +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks b/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks new file mode 100644 index 0000000..8336b72 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/10-inherit-tpws-socks @@ -0,0 +1,22 @@ +# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks + +OVERRIDE=tpws-socks + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE start_daemons_procd +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/sysv/custom-nfqws-dht4all b/init.d/openwrt/custom.d.examples/50-dht4all similarity index 65% rename from init.d/sysv/custom-nfqws-dht4all rename to init.d/openwrt/custom.d.examples/50-dht4all index dbc9a3a..3126658 100644 --- a/init.d/sysv/custom-nfqws-dht4all +++ b/init.d/openwrt/custom.d.examples/50-dht4all @@ -1,31 +1,24 @@ -# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering +# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -QNUM2=$(($QNUM+20)) +DNUM=101 +QNUM2=$(($DNUM * 5)) zapret_custom_daemons() { # stop logic is managed by procd - local MODE_OVERRIDE=nfqws - local opt - - zapret_do_daemons $1 - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - do_nfqws $1 100 "$opt" + local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" + run_daemon $DNUM $NFQWS "$opt" } zapret_custom_firewall() { # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws local f uf4 uf6 local first_packet_only="$ipt_connbytes 1:1" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 - f='-p udp -m length --length 109:407 -m u32 --u32' uf4='0>>22&0x3C@8>>16=0x6431' uf6='48>>16=0x6431' @@ -36,13 +29,10 @@ zapret_custom_firewall_nft() { # stop logic is not required - local MODE_OVERRIDE=nfqws local f local first_packet_only="$nft_connbytes 1" local desync="mark and $DESYNC_MARK == 0" - zapret_apply_firewall_rules_nft - f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2 } diff --git a/init.d/openwrt/custom.d.examples/50-discord b/init.d/openwrt/custom.d.examples/50-discord new file mode 100644 index 0000000..2d96da8 --- /dev/null +++ b/init.d/openwrt/custom.d.examples/50-discord @@ -0,0 +1,69 @@ +# this custom script in addition to MODE=nfqws runs desync of some udp packets to discord subnets +# idea taken from community. not tested and not optimized by author. + +# can override in config : +NFQWS_OPT_DESYNC_DISCORD="${NFQWS_OPT_DESYNC_DISCORD:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" +DISCORD_PORTS=${DISCORD_PORTS:-50000-65535} +DISCORD_SUBNETS="${DISCORD_SUBNETS:-5.200.14.249 18.165.140.0/25 23.227.38.74 34.0.48.0/24 34.0.49.64/26 34.0.50.0/25 34.0.51.0/24 34.0.52.0/22 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.128/25 34.0.63.228 34.0.64.0/23 34.0.66.130 34.0.82.140 34.0.129.128/25 34.0.130.0/24 34.0.131.130 34.0.132.139 34.0.133.75 34.0.134.0/24 34.0.135.251 34.0.136.51 34.0.137.0/24 34.0.139.0/24 34.0.140.0/23 34.0.142.0/25 34.0.144.0/23 34.0.146.0/24 34.0.148.25 34.0.149.101 34.0.151.0/25 34.0.153.0/24 34.0.155.0/24 34.0.156.101 34.0.157.0/25 34.0.158.247 34.0.159.188 34.0.192.0/25 34.0.193.0/24 34.0.194.0/24 34.0.195.172 34.0.196.200/29 34.0.197.81 34.0.198.25 34.0.199.0/24 34.0.200.0/24 34.0.201.81 34.0.202.34 34.0.203.0/24 34.0.204.0/23 34.0.206.0/25 34.0.207.0/25 34.0.208.195 34.0.209.0/24 34.0.210.20 34.0.211.0/26 34.0.212.0/24 34.0.213.64/26 34.0.215.128/25 34.0.216.238 34.0.217.0/24 34.0.218.83 34.0.220.103 34.0.221.0/24 34.0.222.193 34.0.223.68 34.0.227.0/24 34.0.240.0/21 34.0.248.0/23 34.0.250.0/24 34.0.251.0/25 34.1.216.0/24 34.1.221.166 35.207.64.0/23 35.207.67.116 35.207.71.0/24 35.207.72.32 35.207.73.0/24 35.207.74.0/24 35.207.75.128/25 35.207.76.128/26 35.207.77.0/24 35.207.78.129 35.207.79.0/24 35.207.80.76 35.207.81.248/30 35.207.82.0/23 35.207.84.0/24 35.207.85.160 35.207.86.41 35.207.87.184 35.207.89.188 35.207.91.146 35.207.92.230 35.207.95.0/24 35.207.97.174 35.207.99.134 35.207.100.64/26 35.207.101.130 35.207.103.64/26 35.207.104.0/24 35.207.106.128/26 35.207.107.19 35.207.108.192/27 35.207.109.185 35.207.110.0/24 35.207.111.174 35.207.114.16 35.207.115.163 35.207.116.51 35.207.117.0/24 35.207.121.204 35.207.122.0/25 35.207.124.145 35.207.125.116 35.207.126.30 35.207.129.0/24 35.207.131.128/27 35.207.132.247 35.207.135.147 35.207.136.69 35.207.137.0/24 35.207.139.0/24 35.207.140.241 35.207.141.119 35.207.142.0/24 35.207.143.96/27 35.207.144.0/25 35.207.145.0/24 35.207.146.89 35.207.147.0/24 35.207.149.0/24 35.207.150.0/24 35.207.151.61 35.207.153.117 35.207.154.0/24 35.207.155.128/25 35.207.156.254 35.207.157.7 35.207.158.192 35.207.160.160 35.207.162.239 35.207.163.0/24 35.207.164.0/25 35.207.165.147 35.207.166.0/25 35.207.167.0/24 35.207.168.116 35.207.170.0/23 35.207.172.0/24 35.207.174.55 35.207.176.128/25 35.207.178.0/24 35.207.180.152 35.207.181.76 35.207.182.125 35.207.184.101 35.207.185.192 35.207.186.128/25 35.207.187.228 35.207.188.0/24 35.207.189.0/25 35.207.190.194 35.207.191.64/26 35.207.193.165 35.207.195.75 35.207.196.0/24 35.207.198.0/23 35.207.201.186 35.207.202.169 35.207.205.211 35.207.207.4 35.207.209.0/25 35.207.210.191 35.207.211.253 35.207.213.97 35.207.214.0/24 35.207.220.147 35.207.221.58 35.207.222.105 35.207.224.151 35.207.225.210 35.207.227.0/24 35.207.229.212 35.207.232.26 35.207.234.182 35.207.238.0/24 35.207.240.0/24 35.207.245.0/24 35.207.249.0/24 35.207.250.212 35.207.251.0/27 35.212.4.134 35.212.12.148 35.212.88.11 35.212.102.50 35.212.111.0/26 35.212.117.247 35.212.120.122 35.213.0.0/24 35.213.2.8 35.213.4.185 35.213.6.118 35.213.7.128/25 35.213.8.168 35.213.10.0/24 35.213.11.21 35.213.12.224/27 35.213.13.19 35.213.14.217 35.213.16.67 35.213.17.235 35.213.23.166 35.213.25.164 35.213.26.62 35.213.27.252 35.213.32.0/24 35.213.33.74 35.213.34.204 35.213.37.81 35.213.38.186 35.213.39.253 35.213.42.0/24 35.213.43.79 35.213.45.0/24 35.213.46.136 35.213.49.17 35.213.50.0/24 35.213.51.213 35.213.52.0/25 35.213.53.0/24 35.213.54.0/24 35.213.56.0/25 35.213.59.0/24 35.213.61.58 35.213.65.0/24 35.213.67.0/24 35.213.68.192/26 35.213.70.151 35.213.72.128/25 35.213.73.245 35.213.74.131 35.213.78.0/24 35.213.79.137 35.213.80.0/25 35.213.83.128/25 35.213.84.245 35.213.85.0/24 35.213.88.145 35.213.89.80/28 35.213.90.0/24 35.213.91.195 35.213.92.0/24 35.213.93.254 35.213.94.78 35.213.95.145 35.213.96.87 35.213.98.0/24 35.213.99.126 35.213.101.214 35.213.102.0/24 35.213.105.0/24 35.213.106.128/25 35.213.107.158 35.213.109.0/24 35.213.110.40 35.213.111.0/25 35.213.115.0/25 35.213.120.0/24 35.213.122.0/24 35.213.124.89 35.213.125.40 35.213.126.185 35.213.127.0/24 35.213.128.0/22 35.213.132.0/23 35.213.134.140 35.213.135.0/24 35.213.136.0/23 35.213.138.128/25 35.213.139.0/24 35.213.140.0/25 35.213.141.164 35.213.142.128/25 35.213.143.0/24 35.213.144.0/22 35.213.148.0/23 35.213.150.0/24 35.213.152.0/23 35.213.154.137 35.213.155.134 35.213.156.144 35.213.157.0/24 35.213.158.64/26 35.213.160.90 35.213.161.253 35.213.162.0/25 35.213.163.0/24 35.213.164.0/23 35.213.166.106 35.213.167.160/27 35.213.168.0/24 35.213.169.179 35.213.170.0/24 35.213.171.201 35.213.172.159 35.213.173.0/24 35.213.174.128/25 35.213.175.128/26 35.213.176.0/24 35.213.177.0/25 35.213.179.139 35.213.180.0/24 35.213.181.0/25 35.213.182.0/23 35.213.184.0/23 35.213.186.70 35.213.187.0/24 35.213.188.128/25 35.213.190.158 35.213.191.0/24 35.213.192.240/31 35.213.193.74 35.213.194.0/25 35.213.195.178 35.213.196.38 35.213.197.68 35.213.198.0/23 35.213.200.0/23 35.213.202.0/25 35.213.203.195 35.213.204.32/27 35.213.205.170 35.213.207.128/25 35.213.208.85 35.213.210.0/24 35.213.211.176/29 35.213.212.0/24 35.213.213.225 35.213.214.0/25 35.213.215.255 35.213.217.0/24 35.213.218.248 35.213.219.0/25 35.213.220.211 35.213.221.0/24 35.213.222.215 35.213.223.0/24 35.213.225.0/24 35.213.227.227 35.213.229.17 35.213.230.89 35.213.231.0/24 35.213.233.0/24 35.213.234.134 35.213.236.0/24 35.213.237.212 35.213.238.0/24 35.213.240.212 35.213.241.0/24 35.213.242.10 35.213.243.219 35.213.244.146 35.213.245.119 35.213.246.0/23 35.213.249.79 35.213.250.0/24 35.213.251.74 35.213.252.0/24 35.213.253.155 35.213.254.89 35.214.128.248 35.214.129.220 35.214.130.217 35.214.131.144 35.214.132.189 35.214.133.0/24 35.214.134.163 35.214.137.0/24 35.214.138.0/25 35.214.140.0/24 35.214.142.0/24 35.214.143.41 35.214.144.26 35.214.145.200 35.214.146.9 35.214.147.135 35.214.148.89 35.214.149.110 35.214.151.128/25 35.214.152.0/24 35.214.156.115 35.214.158.181 35.214.159.128/25 35.214.160.128/25 35.214.161.217 35.214.162.0/24 35.214.163.28 35.214.165.102 35.214.167.77 35.214.169.0/24 35.214.170.2 35.214.171.0/25 35.214.172.128/25 35.214.173.0/24 35.214.175.0/24 35.214.177.183 35.214.179.46 35.214.180.0/23 35.214.184.179 35.214.185.28 35.214.186.3 35.214.187.0/24 35.214.191.0/24 35.214.192.128/25 35.214.193.0/24 35.214.194.128/25 35.214.195.0/25 35.214.196.64/26 35.214.197.0/24 35.214.198.7 35.214.199.224 35.214.201.0/25 35.214.203.155 35.214.204.0/23 35.214.207.0/24 35.214.208.128/25 35.214.209.64 35.214.210.0/24 35.214.211.3 35.214.212.64/26 35.214.213.0/25 35.214.214.0/24 35.214.215.64/26 35.214.216.0/23 35.214.218.140 35.214.219.0/24 35.214.220.149 35.214.221.0/24 35.214.222.149 35.214.223.0/24 35.214.224.71 35.214.225.0/24 35.214.226.0/23 35.214.228.0/23 35.214.231.187 35.214.233.8 35.214.235.38 35.214.237.0/24 35.214.238.0/25 35.214.239.0/24 35.214.240.87 35.214.241.0/24 35.214.243.21 35.214.244.0/24 35.214.245.16/28 35.214.246.106 35.214.248.119 35.214.249.154 35.214.250.0/24 35.214.251.128/25 35.214.252.187 35.214.253.0/24 35.214.255.154 35.215.72.85 35.215.73.65 35.215.83.0 35.215.108.111 35.215.115.120 35.215.126.35 35.215.127.34 35.215.128.0/21 35.215.136.0/26 35.215.137.0/24 35.215.138.0/23 35.215.140.0/24 35.215.141.64/27 35.215.142.0/24 35.215.143.83 35.215.144.128/25 35.215.145.0/24 35.215.146.0/24 35.215.147.86 35.215.148.0/23 35.215.150.0/26 35.215.151.0/24 35.215.152.0/24 35.215.153.128/25 35.215.154.240/28 35.215.155.20 35.215.156.0/24 35.215.158.0/23 35.215.160.192/26 35.215.161.0/24 35.215.163.0/24 35.215.164.0/24 35.215.165.236 35.215.166.128/25 35.215.167.128/25 35.215.168.0/24 35.215.169.12 35.215.170.0/23 35.215.172.0/22 35.215.176.0/24 35.215.177.72 35.215.178.0/24 35.215.179.161 35.215.180.0/22 35.215.184.253 35.215.185.64/26 35.215.186.0/25 35.215.187.0/24 35.215.188.0/23 35.215.190.0/24 35.215.191.61 35.215.192.0/23 35.215.194.192/28 35.215.195.0/24 35.215.196.0/25 35.215.197.0/25 35.215.198.230 35.215.199.204 35.215.200.0/23 35.215.202.0/24 35.215.203.0/25 35.215.204.128/25 35.215.205.0/25 35.215.206.0/23 35.215.208.0/24 35.215.209.0/25 35.215.210.0/23 35.215.212.0/22 35.215.216.0/22 35.215.221.0/24 35.215.222.128/25 35.215.223.126 35.215.224.0/23 35.215.226.0/24 35.215.227.0/25 35.215.228.0/24 35.215.229.64 35.215.230.89 35.215.231.0/24 35.215.232.0/24 35.215.233.0/25 35.215.234.37 35.215.235.0/24 35.215.238.0/25 35.215.239.119 35.215.240.0/24 35.215.241.128/25 35.215.242.0/25 35.215.243.0/24 35.215.244.0/23 35.215.246.222 35.215.247.0/24 35.215.248.0/22 35.215.252.0/24 35.215.253.118 35.215.254.0/23 35.217.0.0/24 35.217.1.64/26 35.217.2.5 35.217.3.0/24 35.217.4.72 35.217.5.0/25 35.217.6.0/24 35.217.8.0/25 35.217.9.0/24 35.217.11.186 35.217.12.0/24 35.217.14.192/26 35.217.15.65 35.217.16.75 35.217.17.128/25 35.217.18.0/24 35.217.19.183 35.217.20.0/24 35.217.21.128/25 35.217.22.128/25 35.217.23.128/25 35.217.24.0/24 35.217.25.81 35.217.26.0/24 35.217.27.128/25 35.217.28.128/25 35.217.29.0/24 35.217.30.0/25 35.217.31.0/25 35.217.32.128/25 35.217.33.0/24 35.217.35.128/25 35.217.36.0/23 35.217.38.179 35.217.39.186 35.217.40.176 35.217.41.204 35.217.43.0/24 35.217.45.248 35.217.46.0/24 35.217.47.128/25 35.217.48.195 35.217.49.160/27 35.217.50.0/25 35.217.51.0/24 35.217.52.117 35.217.53.128/25 35.217.54.0/25 35.217.55.96/27 35.217.56.6 35.217.57.184 35.217.58.0/24 35.217.59.64/26 35.217.60.0/24 35.217.61.128/25 35.217.62.0/24 35.217.63.128/25 35.219.225.149 35.219.226.57 35.219.227.0/24 35.219.228.37 35.219.229.128/25 35.219.230.0/23 35.219.235.0/24 35.219.236.198 35.219.238.115 35.219.239.0/24 35.219.241.0/24 35.219.242.221 35.219.243.191 35.219.244.1 35.219.245.0/24 35.219.246.159 35.219.247.0/26 35.219.248.0/24 35.219.249.126 35.219.251.186 35.219.252.0/23 35.219.254.0/24 64.233.161.207 64.233.162.207 64.233.163.207 64.233.164.207 64.233.165.207 66.22.196.0/26 66.22.197.0/24 66.22.198.0/26 66.22.199.0/24 66.22.200.0/26 66.22.202.0/26 66.22.204.0/24 66.22.206.0/24 66.22.208.0/25 66.22.210.0/26 66.22.212.0/24 66.22.214.0/24 66.22.216.0/23 66.22.220.0/25 66.22.221.0/24 66.22.222.0/23 66.22.224.0/25 66.22.225.0/26 66.22.226.0/25 66.22.227.0/25 66.22.228.0/22 66.22.233.0/24 66.22.234.0/24 66.22.236.0/23 66.22.238.0/24 66.22.240.0/22 66.22.244.0/23 66.22.248.0/24 74.125.131.207 74.125.205.207 104.17.51.93 104.17.117.93 104.18.4.161 104.18.5.161 104.18.8.105 104.18.9.105 104.18.30.128 104.18.31.128 104.21.2.204 104.21.25.51 104.21.40.151 104.21.59.128 104.21.72.221 104.21.82.160 108.177.14.207 138.128.140.240/28 142.250.150.207 142.251.1.207 162.159.128.232/30 162.159.129.232/30 162.159.130.232/30 162.159.133.232/30 162.159.134.232/30 162.159.135.232/30 162.159.136.232/30 162.159.137.232/30 162.159.138.232/30 172.65.202.19 172.66.41.34 172.66.42.222 172.67.152.224/28 172.67.155.163 172.67.159.89 172.67.177.131 172.67.222.182 173.194.73.207 173.194.220.207 173.194.221.207 173.194.222.207 188.114.96.2 188.114.97.2 188.114.98.224 188.114.99.224 204.11.56.48 209.85.233.207}" + +DNUM=105 +QNUM_DISCORD=$(($DNUM * 5)) +DISCORD_SET_NAME=discord + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" + run_daemon $DNUM $NFQWS "$opt" +} + +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f + local first_packets_only="$ipt_connbytes 1:3" + local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" + local DISCORD_PORTS_IPT=$(replace_char - : $DISCORD_PORTS) + local dest_set="-m set --match-set $DISCORD_SET_NAME dst" + local subnet + + local DISABLE_IPV6=1 + + [ "$1" = 1 ] && { + ipset create $DISCORD_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null + ipset flush $DISCORD_SET_NAME + for subnet in $DISCORD_SUBNETS; do + echo add $DISCORD_SET_NAME $subnet + done | ipset -! restore + } + + f="-p udp -m multiport --dports $DISCORD_PORTS_IPT" + fw_nfqws_post $1 "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD + + [ "$1" = 1 ] || { + ipset destroy $DISCORD_SET_NAME + } +} + +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f + local first_packets_only="$nft_connbytes 1-3" + local desync="mark and $DESYNC_MARK == 0" + local dest_set="ip daddr @$DISCORD_SET_NAME" + local subnets + + local DISABLE_IPV6=1 + + make_comma_list subnets $DISCORD_SUBNETS + nft_create_set $DISCORD_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" + nft_flush_set $DISCORD_SET_NAME + nft_add_set_element $DISCORD_SET_NAME "$subnets" + + f="udp dport {$DISCORD_PORTS}" + nft_fw_nfqws_post "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD +} diff --git a/init.d/sysv/custom-nfqws-quic4all b/init.d/openwrt/custom.d.examples/50-quic4all similarity index 66% rename from init.d/sysv/custom-nfqws-quic4all rename to init.d/openwrt/custom.d.examples/50-quic4all index 37303b4..7445344 100644 --- a/init.d/sysv/custom-nfqws-quic4all +++ b/init.d/openwrt/custom.d.examples/50-quic4all @@ -1,32 +1,25 @@ -# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering +# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -QNUM2=$(($QNUM+10)) +DNUM=102 +QNUM2=$(($DNUM * 5)) zapret_custom_daemons() { # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws - local opt - - zapret_do_daemons $1 - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - do_nfqws $1 100 "$opt" + local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + run_daemon $DNUM $NFQWS "$opt" } zapret_custom_firewall() { # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws local f local first_packets_only="$ipt_connbytes 1:3" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 - f="-p udp -m multiport --dports $QUIC_PORTS_IPT" fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 @@ -35,13 +28,10 @@ zapret_custom_firewall_nft() { # stop logic is not required - local MODE_OVERRIDE=nfqws local f local first_packets_only="$nft_connbytes 1-3" local desync="mark and $DESYNC_MARK == 0" - zapret_apply_firewall_rules_nft - f="udp dport {$QUIC_PORTS}" nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } diff --git a/init.d/openwrt/custom-tpws4http-nfqws4https b/init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https similarity index 91% rename from init.d/openwrt/custom-tpws4http-nfqws4https rename to init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https index d777aa8..df18da8 100644 --- a/init.d/openwrt/custom-tpws4http-nfqws4https +++ b/init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https @@ -3,7 +3,7 @@ zapret_custom_daemons() { - # stop logic is managed by procd + # $1 - 1 - run, 0 - stop local opt @@ -15,7 +15,7 @@ zapret_custom_daemons() } [ "$MODE_HTTPS" = "1" ] && { - opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS" + opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS" filter_apply_hostlist_target opt filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX" run_daemon 2 $NFQWS "$opt" @@ -41,6 +41,8 @@ zapret_custom_firewall() f6=$f4 filter_apply_ipset_target f4 f6 fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM + # for modes that require incoming traffic + fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM } } zapret_custom_firewall_nft() diff --git a/init.d/openwrt/custom.d/.keep b/init.d/openwrt/custom.d/.keep new file mode 100644 index 0000000..e69de29 diff --git a/init.d/openwrt/custom.default b/init.d/openwrt/custom.default deleted file mode 100644 index 508013e..0000000 --- a/init.d/openwrt/custom.default +++ /dev/null @@ -1,33 +0,0 @@ -# this script contain your special code to launch daemons and configure firewall -# use helpers from "functions" file and "zapret" init script -# in case of upgrade keep this file only, do not modify others - -zapret_custom_daemons() -{ - # stop logic is managed by procd - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Start daemon\(s\) - echo Study how other sections work - - run_daemon 1 /bin/sleep 20 -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Configure iptables for required actions - echo Study how other sections work -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Configure nftables for required actions - echo Study how other sections work -} diff --git a/init.d/openwrt/functions b/init.d/openwrt/functions index c46d866..3c1e8d0 100644 --- a/init.d/openwrt/functions +++ b/init.d/openwrt/functions @@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/nft.sh" . "$ZAPRET_BASE/common/linux_fw.sh" . "$ZAPRET_BASE/common/list.sh" +. "$ZAPRET_BASE/common/custom.sh" +CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt" [ -n "$QNUM" ] || QNUM=200 [ -n "$TPPORT" ] || TPPORT=988 @@ -27,9 +29,6 @@ LINKLOCAL_WAIT_SEC=5 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh" -CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom" -[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" - IPSET_EXCLUDE="-m set ! --match-set nozapret" IPSET_EXCLUDE6="-m set ! --match-set nozapret6" diff --git a/init.d/openwrt/zapret b/init.d/openwrt/zapret index 46cd10b..c62760d 100755 --- a/init.d/openwrt/zapret +++ b/init.d/openwrt/zapret @@ -173,7 +173,7 @@ start_daemons_procd() } ;; custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 + custom_runner zapret_custom_daemons $1 ;; esac diff --git a/init.d/sysv/custom-reuse-builtin-mode b/init.d/sysv/custom-reuse-builtin-mode deleted file mode 100644 index b36ac58..0000000 --- a/init.d/sysv/custom-reuse-builtin-mode +++ /dev/null @@ -1,47 +0,0 @@ -# this custom script demonstrates how to reuse built-in modes and add something from yourself - -MY_TPPORT=$(($TPPORT + 1)) -MY_TPWS_OPT="--methodeol --hostcase" -MY_DPORT=81 - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=tpws - local opt - - zapret_do_daemons $1 - - opt="--port=$MY_TPPORT $MY_TPWS_OPT" - filter_apply_hostlist_target opt - do_tpws $1 100 "$opt" -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - local MODE_OVERRIDE=tpws - local f4 f6 - - zapret_do_firewall_rules_ipt $1 - - f4="-p tcp --dport $MY_DPORT" - f6=$f4 - filter_apply_ipset_target f4 f6 - fw_tpws $1 "$f4" "$f6" $MY_TPPORT -} -zapret_custom_firewall_nft() -{ - # stop logic is not required - - local MODE_OVERRIDE=tpws - local f4 f6 - - zapret_apply_firewall_rules_nft - - f4="tcp dport $MY_DPORT" - f6=$f4 - nft_filter_apply_ipset_target f4 f6 - nft_fw_tpws "$f4" "$f6" $MY_TPPORT -} diff --git a/init.d/sysv/custom.d.examples/10-inherit-nfqws b/init.d/sysv/custom.d.examples/10-inherit-nfqws new file mode 100644 index 0000000..6002969 --- /dev/null +++ b/init.d/sysv/custom.d.examples/10-inherit-nfqws @@ -0,0 +1,22 @@ +# this custom script applies nfqws mode as it would be with MODE=nfqws + +OVERRIDE=nfqws + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1 +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/sysv/custom.d.examples/10-inherit-tpws b/init.d/sysv/custom.d.examples/10-inherit-tpws new file mode 100644 index 0000000..c1b183e --- /dev/null +++ b/init.d/sysv/custom.d.examples/10-inherit-tpws @@ -0,0 +1,22 @@ +# this custom script applies tpws mode as it would be with MODE=tpws + +OVERRIDE=tpws + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1 +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/sysv/custom.d.examples/10-inherit-tpws-socks b/init.d/sysv/custom.d.examples/10-inherit-tpws-socks new file mode 100644 index 0000000..7fcb0e2 --- /dev/null +++ b/init.d/sysv/custom.d.examples/10-inherit-tpws-socks @@ -0,0 +1,22 @@ +# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks + +OVERRIDE=tpws-socks + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1 +} +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1 +} +zapret_custom_firewall_nft() +{ + # stop logic is not required + + MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft +} diff --git a/init.d/openwrt/custom-nfqws-dht4all b/init.d/sysv/custom.d.examples/50-dht4all similarity index 65% rename from init.d/openwrt/custom-nfqws-dht4all rename to init.d/sysv/custom.d.examples/50-dht4all index 069aa4b..735b2c5 100644 --- a/init.d/openwrt/custom-nfqws-dht4all +++ b/init.d/sysv/custom.d.examples/50-dht4all @@ -1,47 +1,39 @@ -# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering +# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5" -QNUM2=$(($QNUM+20)) +DNUM=101 +QNUM2=$(($DNUM * 5)) zapret_custom_daemons() { # stop logic is managed by procd - local MODE_OVERRIDE=nfqws - local opt - - start_daemons_procd - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" - run_daemon 100 $NFQWS "$opt" + local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT" + do_nfqws $1 $DNUM "$opt" } zapret_custom_firewall() { # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws local f uf4 uf6 local first_packet_only="$ipt_connbytes 1:1" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 - f='-p udp -m length --length 109:407 -m u32 --u32' uf4='0>>22&0x3C@8>>16=0x6431' uf6='48>>16=0x6431' fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2 + } zapret_custom_firewall_nft() { # stop logic is not required - local MODE_OVERRIDE=nfqws local f local first_packet_only="$nft_connbytes 1" local desync="mark and $DESYNC_MARK == 0" - zapret_apply_firewall_rules_nft - f="meta length 109-407 meta l4proto udp @th,64,16 0x6431" nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2 } + diff --git a/init.d/sysv/custom.d.examples/50-discord b/init.d/sysv/custom.d.examples/50-discord new file mode 100644 index 0000000..7bfa100 --- /dev/null +++ b/init.d/sysv/custom.d.examples/50-discord @@ -0,0 +1,69 @@ +# this custom script in addition to MODE=nfqws runs desync of some udp packets to discord subnets +# idea taken from community. not tested and not optimized by author. + +# can override in config : +NFQWS_OPT_DESYNC_DISCORD="${NFQWS_OPT_DESYNC_DISCORD:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}" +DISCORD_PORTS=${DISCORD_PORTS:-50000-65535} +DISCORD_SUBNETS="${DISCORD_SUBNETS:-5.200.14.249 18.165.140.0/25 23.227.38.74 34.0.48.0/24 34.0.49.64/26 34.0.50.0/25 34.0.51.0/24 34.0.52.0/22 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.128/25 34.0.63.228 34.0.64.0/23 34.0.66.130 34.0.82.140 34.0.129.128/25 34.0.130.0/24 34.0.131.130 34.0.132.139 34.0.133.75 34.0.134.0/24 34.0.135.251 34.0.136.51 34.0.137.0/24 34.0.139.0/24 34.0.140.0/23 34.0.142.0/25 34.0.144.0/23 34.0.146.0/24 34.0.148.25 34.0.149.101 34.0.151.0/25 34.0.153.0/24 34.0.155.0/24 34.0.156.101 34.0.157.0/25 34.0.158.247 34.0.159.188 34.0.192.0/25 34.0.193.0/24 34.0.194.0/24 34.0.195.172 34.0.196.200/29 34.0.197.81 34.0.198.25 34.0.199.0/24 34.0.200.0/24 34.0.201.81 34.0.202.34 34.0.203.0/24 34.0.204.0/23 34.0.206.0/25 34.0.207.0/25 34.0.208.195 34.0.209.0/24 34.0.210.20 34.0.211.0/26 34.0.212.0/24 34.0.213.64/26 34.0.215.128/25 34.0.216.238 34.0.217.0/24 34.0.218.83 34.0.220.103 34.0.221.0/24 34.0.222.193 34.0.223.68 34.0.227.0/24 34.0.240.0/21 34.0.248.0/23 34.0.250.0/24 34.0.251.0/25 34.1.216.0/24 34.1.221.166 35.207.64.0/23 35.207.67.116 35.207.71.0/24 35.207.72.32 35.207.73.0/24 35.207.74.0/24 35.207.75.128/25 35.207.76.128/26 35.207.77.0/24 35.207.78.129 35.207.79.0/24 35.207.80.76 35.207.81.248/30 35.207.82.0/23 35.207.84.0/24 35.207.85.160 35.207.86.41 35.207.87.184 35.207.89.188 35.207.91.146 35.207.92.230 35.207.95.0/24 35.207.97.174 35.207.99.134 35.207.100.64/26 35.207.101.130 35.207.103.64/26 35.207.104.0/24 35.207.106.128/26 35.207.107.19 35.207.108.192/27 35.207.109.185 35.207.110.0/24 35.207.111.174 35.207.114.16 35.207.115.163 35.207.116.51 35.207.117.0/24 35.207.121.204 35.207.122.0/25 35.207.124.145 35.207.125.116 35.207.126.30 35.207.129.0/24 35.207.131.128/27 35.207.132.247 35.207.135.147 35.207.136.69 35.207.137.0/24 35.207.139.0/24 35.207.140.241 35.207.141.119 35.207.142.0/24 35.207.143.96/27 35.207.144.0/25 35.207.145.0/24 35.207.146.89 35.207.147.0/24 35.207.149.0/24 35.207.150.0/24 35.207.151.61 35.207.153.117 35.207.154.0/24 35.207.155.128/25 35.207.156.254 35.207.157.7 35.207.158.192 35.207.160.160 35.207.162.239 35.207.163.0/24 35.207.164.0/25 35.207.165.147 35.207.166.0/25 35.207.167.0/24 35.207.168.116 35.207.170.0/23 35.207.172.0/24 35.207.174.55 35.207.176.128/25 35.207.178.0/24 35.207.180.152 35.207.181.76 35.207.182.125 35.207.184.101 35.207.185.192 35.207.186.128/25 35.207.187.228 35.207.188.0/24 35.207.189.0/25 35.207.190.194 35.207.191.64/26 35.207.193.165 35.207.195.75 35.207.196.0/24 35.207.198.0/23 35.207.201.186 35.207.202.169 35.207.205.211 35.207.207.4 35.207.209.0/25 35.207.210.191 35.207.211.253 35.207.213.97 35.207.214.0/24 35.207.220.147 35.207.221.58 35.207.222.105 35.207.224.151 35.207.225.210 35.207.227.0/24 35.207.229.212 35.207.232.26 35.207.234.182 35.207.238.0/24 35.207.240.0/24 35.207.245.0/24 35.207.249.0/24 35.207.250.212 35.207.251.0/27 35.212.4.134 35.212.12.148 35.212.88.11 35.212.102.50 35.212.111.0/26 35.212.117.247 35.212.120.122 35.213.0.0/24 35.213.2.8 35.213.4.185 35.213.6.118 35.213.7.128/25 35.213.8.168 35.213.10.0/24 35.213.11.21 35.213.12.224/27 35.213.13.19 35.213.14.217 35.213.16.67 35.213.17.235 35.213.23.166 35.213.25.164 35.213.26.62 35.213.27.252 35.213.32.0/24 35.213.33.74 35.213.34.204 35.213.37.81 35.213.38.186 35.213.39.253 35.213.42.0/24 35.213.43.79 35.213.45.0/24 35.213.46.136 35.213.49.17 35.213.50.0/24 35.213.51.213 35.213.52.0/25 35.213.53.0/24 35.213.54.0/24 35.213.56.0/25 35.213.59.0/24 35.213.61.58 35.213.65.0/24 35.213.67.0/24 35.213.68.192/26 35.213.70.151 35.213.72.128/25 35.213.73.245 35.213.74.131 35.213.78.0/24 35.213.79.137 35.213.80.0/25 35.213.83.128/25 35.213.84.245 35.213.85.0/24 35.213.88.145 35.213.89.80/28 35.213.90.0/24 35.213.91.195 35.213.92.0/24 35.213.93.254 35.213.94.78 35.213.95.145 35.213.96.87 35.213.98.0/24 35.213.99.126 35.213.101.214 35.213.102.0/24 35.213.105.0/24 35.213.106.128/25 35.213.107.158 35.213.109.0/24 35.213.110.40 35.213.111.0/25 35.213.115.0/25 35.213.120.0/24 35.213.122.0/24 35.213.124.89 35.213.125.40 35.213.126.185 35.213.127.0/24 35.213.128.0/22 35.213.132.0/23 35.213.134.140 35.213.135.0/24 35.213.136.0/23 35.213.138.128/25 35.213.139.0/24 35.213.140.0/25 35.213.141.164 35.213.142.128/25 35.213.143.0/24 35.213.144.0/22 35.213.148.0/23 35.213.150.0/24 35.213.152.0/23 35.213.154.137 35.213.155.134 35.213.156.144 35.213.157.0/24 35.213.158.64/26 35.213.160.90 35.213.161.253 35.213.162.0/25 35.213.163.0/24 35.213.164.0/23 35.213.166.106 35.213.167.160/27 35.213.168.0/24 35.213.169.179 35.213.170.0/24 35.213.171.201 35.213.172.159 35.213.173.0/24 35.213.174.128/25 35.213.175.128/26 35.213.176.0/24 35.213.177.0/25 35.213.179.139 35.213.180.0/24 35.213.181.0/25 35.213.182.0/23 35.213.184.0/23 35.213.186.70 35.213.187.0/24 35.213.188.128/25 35.213.190.158 35.213.191.0/24 35.213.192.240/31 35.213.193.74 35.213.194.0/25 35.213.195.178 35.213.196.38 35.213.197.68 35.213.198.0/23 35.213.200.0/23 35.213.202.0/25 35.213.203.195 35.213.204.32/27 35.213.205.170 35.213.207.128/25 35.213.208.85 35.213.210.0/24 35.213.211.176/29 35.213.212.0/24 35.213.213.225 35.213.214.0/25 35.213.215.255 35.213.217.0/24 35.213.218.248 35.213.219.0/25 35.213.220.211 35.213.221.0/24 35.213.222.215 35.213.223.0/24 35.213.225.0/24 35.213.227.227 35.213.229.17 35.213.230.89 35.213.231.0/24 35.213.233.0/24 35.213.234.134 35.213.236.0/24 35.213.237.212 35.213.238.0/24 35.213.240.212 35.213.241.0/24 35.213.242.10 35.213.243.219 35.213.244.146 35.213.245.119 35.213.246.0/23 35.213.249.79 35.213.250.0/24 35.213.251.74 35.213.252.0/24 35.213.253.155 35.213.254.89 35.214.128.248 35.214.129.220 35.214.130.217 35.214.131.144 35.214.132.189 35.214.133.0/24 35.214.134.163 35.214.137.0/24 35.214.138.0/25 35.214.140.0/24 35.214.142.0/24 35.214.143.41 35.214.144.26 35.214.145.200 35.214.146.9 35.214.147.135 35.214.148.89 35.214.149.110 35.214.151.128/25 35.214.152.0/24 35.214.156.115 35.214.158.181 35.214.159.128/25 35.214.160.128/25 35.214.161.217 35.214.162.0/24 35.214.163.28 35.214.165.102 35.214.167.77 35.214.169.0/24 35.214.170.2 35.214.171.0/25 35.214.172.128/25 35.214.173.0/24 35.214.175.0/24 35.214.177.183 35.214.179.46 35.214.180.0/23 35.214.184.179 35.214.185.28 35.214.186.3 35.214.187.0/24 35.214.191.0/24 35.214.192.128/25 35.214.193.0/24 35.214.194.128/25 35.214.195.0/25 35.214.196.64/26 35.214.197.0/24 35.214.198.7 35.214.199.224 35.214.201.0/25 35.214.203.155 35.214.204.0/23 35.214.207.0/24 35.214.208.128/25 35.214.209.64 35.214.210.0/24 35.214.211.3 35.214.212.64/26 35.214.213.0/25 35.214.214.0/24 35.214.215.64/26 35.214.216.0/23 35.214.218.140 35.214.219.0/24 35.214.220.149 35.214.221.0/24 35.214.222.149 35.214.223.0/24 35.214.224.71 35.214.225.0/24 35.214.226.0/23 35.214.228.0/23 35.214.231.187 35.214.233.8 35.214.235.38 35.214.237.0/24 35.214.238.0/25 35.214.239.0/24 35.214.240.87 35.214.241.0/24 35.214.243.21 35.214.244.0/24 35.214.245.16/28 35.214.246.106 35.214.248.119 35.214.249.154 35.214.250.0/24 35.214.251.128/25 35.214.252.187 35.214.253.0/24 35.214.255.154 35.215.72.85 35.215.73.65 35.215.83.0 35.215.108.111 35.215.115.120 35.215.126.35 35.215.127.34 35.215.128.0/21 35.215.136.0/26 35.215.137.0/24 35.215.138.0/23 35.215.140.0/24 35.215.141.64/27 35.215.142.0/24 35.215.143.83 35.215.144.128/25 35.215.145.0/24 35.215.146.0/24 35.215.147.86 35.215.148.0/23 35.215.150.0/26 35.215.151.0/24 35.215.152.0/24 35.215.153.128/25 35.215.154.240/28 35.215.155.20 35.215.156.0/24 35.215.158.0/23 35.215.160.192/26 35.215.161.0/24 35.215.163.0/24 35.215.164.0/24 35.215.165.236 35.215.166.128/25 35.215.167.128/25 35.215.168.0/24 35.215.169.12 35.215.170.0/23 35.215.172.0/22 35.215.176.0/24 35.215.177.72 35.215.178.0/24 35.215.179.161 35.215.180.0/22 35.215.184.253 35.215.185.64/26 35.215.186.0/25 35.215.187.0/24 35.215.188.0/23 35.215.190.0/24 35.215.191.61 35.215.192.0/23 35.215.194.192/28 35.215.195.0/24 35.215.196.0/25 35.215.197.0/25 35.215.198.230 35.215.199.204 35.215.200.0/23 35.215.202.0/24 35.215.203.0/25 35.215.204.128/25 35.215.205.0/25 35.215.206.0/23 35.215.208.0/24 35.215.209.0/25 35.215.210.0/23 35.215.212.0/22 35.215.216.0/22 35.215.221.0/24 35.215.222.128/25 35.215.223.126 35.215.224.0/23 35.215.226.0/24 35.215.227.0/25 35.215.228.0/24 35.215.229.64 35.215.230.89 35.215.231.0/24 35.215.232.0/24 35.215.233.0/25 35.215.234.37 35.215.235.0/24 35.215.238.0/25 35.215.239.119 35.215.240.0/24 35.215.241.128/25 35.215.242.0/25 35.215.243.0/24 35.215.244.0/23 35.215.246.222 35.215.247.0/24 35.215.248.0/22 35.215.252.0/24 35.215.253.118 35.215.254.0/23 35.217.0.0/24 35.217.1.64/26 35.217.2.5 35.217.3.0/24 35.217.4.72 35.217.5.0/25 35.217.6.0/24 35.217.8.0/25 35.217.9.0/24 35.217.11.186 35.217.12.0/24 35.217.14.192/26 35.217.15.65 35.217.16.75 35.217.17.128/25 35.217.18.0/24 35.217.19.183 35.217.20.0/24 35.217.21.128/25 35.217.22.128/25 35.217.23.128/25 35.217.24.0/24 35.217.25.81 35.217.26.0/24 35.217.27.128/25 35.217.28.128/25 35.217.29.0/24 35.217.30.0/25 35.217.31.0/25 35.217.32.128/25 35.217.33.0/24 35.217.35.128/25 35.217.36.0/23 35.217.38.179 35.217.39.186 35.217.40.176 35.217.41.204 35.217.43.0/24 35.217.45.248 35.217.46.0/24 35.217.47.128/25 35.217.48.195 35.217.49.160/27 35.217.50.0/25 35.217.51.0/24 35.217.52.117 35.217.53.128/25 35.217.54.0/25 35.217.55.96/27 35.217.56.6 35.217.57.184 35.217.58.0/24 35.217.59.64/26 35.217.60.0/24 35.217.61.128/25 35.217.62.0/24 35.217.63.128/25 35.219.225.149 35.219.226.57 35.219.227.0/24 35.219.228.37 35.219.229.128/25 35.219.230.0/23 35.219.235.0/24 35.219.236.198 35.219.238.115 35.219.239.0/24 35.219.241.0/24 35.219.242.221 35.219.243.191 35.219.244.1 35.219.245.0/24 35.219.246.159 35.219.247.0/26 35.219.248.0/24 35.219.249.126 35.219.251.186 35.219.252.0/23 35.219.254.0/24 64.233.161.207 64.233.162.207 64.233.163.207 64.233.164.207 64.233.165.207 66.22.196.0/26 66.22.197.0/24 66.22.198.0/26 66.22.199.0/24 66.22.200.0/26 66.22.202.0/26 66.22.204.0/24 66.22.206.0/24 66.22.208.0/25 66.22.210.0/26 66.22.212.0/24 66.22.214.0/24 66.22.216.0/23 66.22.220.0/25 66.22.221.0/24 66.22.222.0/23 66.22.224.0/25 66.22.225.0/26 66.22.226.0/25 66.22.227.0/25 66.22.228.0/22 66.22.233.0/24 66.22.234.0/24 66.22.236.0/23 66.22.238.0/24 66.22.240.0/22 66.22.244.0/23 66.22.248.0/24 74.125.131.207 74.125.205.207 104.17.51.93 104.17.117.93 104.18.4.161 104.18.5.161 104.18.8.105 104.18.9.105 104.18.30.128 104.18.31.128 104.21.2.204 104.21.25.51 104.21.40.151 104.21.59.128 104.21.72.221 104.21.82.160 108.177.14.207 138.128.140.240/28 142.250.150.207 142.251.1.207 162.159.128.232/30 162.159.129.232/30 162.159.130.232/30 162.159.133.232/30 162.159.134.232/30 162.159.135.232/30 162.159.136.232/30 162.159.137.232/30 162.159.138.232/30 172.65.202.19 172.66.41.34 172.66.42.222 172.67.152.224/28 172.67.155.163 172.67.159.89 172.67.177.131 172.67.222.182 173.194.73.207 173.194.220.207 173.194.221.207 173.194.222.207 188.114.96.2 188.114.97.2 188.114.98.224 188.114.99.224 204.11.56.48 209.85.233.207}" + +DNUM=105 +QNUM_DISCORD=$(($DNUM * 5)) +DISCORD_SET_NAME=discord + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + + local opt="--qnum=$QNUM_DISCORD $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DISCORD" + do_nfqws $1 $DNUM "$opt" +} + +zapret_custom_firewall() +{ + # $1 - 1 - run, 0 - stop + + local f + local first_packets_only="$ipt_connbytes 1:3" + local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" + local DISCORD_PORTS_IPT=$(replace_char - : $DISCORD_PORTS) + local dest_set="-m set --match-set $DISCORD_SET_NAME dst" + local subnet + + local DISABLE_IPV6=1 + + [ "$1" = 1 ] && { + ipset create $DISCORD_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null + ipset flush $DISCORD_SET_NAME + for subnet in $DISCORD_SUBNETS; do + echo add $DISCORD_SET_NAME $subnet + done | ipset -! restore + } + + f="-p udp -m multiport --dports $DISCORD_PORTS_IPT" + fw_nfqws_post $1 "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD + + [ "$1" = 1 ] || { + ipset destroy $DISCORD_SET_NAME + } +} + +zapret_custom_firewall_nft() +{ + # stop logic is not required + + local f + local first_packets_only="$nft_connbytes 1-3" + local desync="mark and $DESYNC_MARK == 0" + local dest_set="ip daddr @$DISCORD_SET_NAME" + local subnets + + local DISABLE_IPV6=1 + + make_comma_list subnets $DISCORD_SUBNETS + nft_create_set $DISCORD_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;" + nft_flush_set $DISCORD_SET_NAME + nft_add_set_element $DISCORD_SET_NAME "$subnets" + + f="udp dport {$DISCORD_PORTS}" + nft_fw_nfqws_post "$f $desync $first_packets_only $dest_set" "" $QNUM_DISCORD +} diff --git a/init.d/openwrt/custom-nfqws-quic4all b/init.d/sysv/custom.d.examples/50-quic4all similarity index 64% rename from init.d/openwrt/custom-nfqws-quic4all rename to init.d/sysv/custom.d.examples/50-quic4all index 26dfcc7..5f4b593 100644 --- a/init.d/openwrt/custom-nfqws-quic4all +++ b/init.d/sysv/custom.d.examples/50-quic4all @@ -1,32 +1,25 @@ -# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering +# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake" # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received -QNUM2=$(($QNUM+10)) +DNUM=102 +QNUM2=$(($DNUM * 5)) zapret_custom_daemons() { - # stop logic is managed by procd + # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws - local opt - - start_daemons_procd - - opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" - run_daemon 100 $NFQWS "$opt" + local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC" + do_nfqws $1 $DNUM "$opt" } zapret_custom_firewall() { # $1 - 1 - run, 0 - stop - local MODE_OVERRIDE=nfqws local f local first_packets_only="$ipt_connbytes 1:3" local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK" - zapret_do_firewall_rules_ipt $1 - f="-p udp -m multiport --dports $QUIC_PORTS_IPT" fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 @@ -35,13 +28,10 @@ zapret_custom_firewall_nft() { # stop logic is not required - local MODE_OVERRIDE=nfqws local f local first_packets_only="$nft_connbytes 1-3" local desync="mark and $DESYNC_MARK == 0" - zapret_apply_firewall_rules_nft - f="udp dport {$QUIC_PORTS}" nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2 } diff --git a/init.d/sysv/custom-tpws4http-nfqws4https b/init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https similarity index 100% rename from init.d/sysv/custom-tpws4http-nfqws4https rename to init.d/sysv/custom.d.examples/50-tpws4http-nfqws4https diff --git a/init.d/sysv/custom.d/.keep b/init.d/sysv/custom.d/.keep new file mode 100644 index 0000000..e69de29 diff --git a/init.d/sysv/custom.default b/init.d/sysv/custom.default deleted file mode 100644 index 666d2d4..0000000 --- a/init.d/sysv/custom.default +++ /dev/null @@ -1,34 +0,0 @@ -# this script contain your special code to launch daemons and configure firewall -# use helpers from "functions" file -# in case of upgrade keep this file only, do not modify others - -zapret_custom_daemons() -{ - # $1 - 1 - run, 0 - stop - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Start daemon\(s\) - echo Study how other sections work - - do_daemon $1 1 /bin/sleep 20 -} -zapret_custom_firewall() -{ - # $1 - 1 - run, 0 - stop - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Configure iptables for required actions - echo Study how other sections work -} - -zapret_custom_firewall_nft() -{ - # stop logic is not required - - # PLACEHOLDER - echo !!! NEED ATTENTION !!! - echo Configure nftables for required actions - echo Study how other sections work -} diff --git a/init.d/sysv/functions b/init.d/sysv/functions index 519c1e0..9caa569 100644 --- a/init.d/sysv/functions +++ b/init.d/sysv/functions @@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"} . "$ZAPRET_BASE/common/nft.sh" . "$ZAPRET_BASE/common/linux_fw.sh" . "$ZAPRET_BASE/common/list.sh" +. "$ZAPRET_BASE/common/custom.sh" +CUSTOM_DIR="$ZAPRET_RW/init.d/sysv" user_exists() @@ -91,9 +93,6 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal= # max wait time for the link local ipv6 on the LAN interface LINKLOCAL_WAIT_SEC=5 -CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom" -[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" - IPSET_EXCLUDE="-m set ! --match-set nozapret" IPSET_EXCLUDE6="-m set ! --match-set nozapret6" @@ -341,7 +340,7 @@ zapret_do_daemons() } ;; custom) - existf zapret_custom_daemons && zapret_custom_daemons $1 + custom_runner zapret_custom_daemons $1 ;; esac diff --git a/install_easy.sh b/install_easy.sh index 67364d8..f2ae1c1 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -138,6 +138,15 @@ select_mode_mode() echo ..edited.. done } + [ "$MODE" = custom ] && { + echo + echo "current custom scripts :" + [ -f "$CUSTOM_DIR/custom" ] && echo "legacy custom script $CUSTOM_DIR/custom" + echo "$CUSTOM_DIR/custom.d :" + [ -d "$CUSTOM_DIR/custom.d" ] && ls "$CUSTOM_DIR/custom.d" + echo "Make sure this is ok" + echo + } } select_mode_http() { @@ -393,7 +402,7 @@ default_files() for dir in openwrt sysv macos; do [ -d "$1/init.d/$dir" ] && { [ -d "$2/init.d/$dir" ] || mkdir -p "$2/init.d/$dir" - [ -f "$2/init.d/$dir/custom" ] || cp "$1/init.d/$dir/custom.default" "$2/init.d/$dir/custom" + [ -d "$2/init.d/$dir/custom.d" ] || mkdir -p "$2/init.d/$dir/custom.d" } done } @@ -484,7 +493,11 @@ _backup_settings() { local i=0 for f in "$@"; do + # safety check + [ -z "$f" -o "$f" = "/" ] && continue + [ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i" + [ -d "$ZAPRET_TARGET/$f" ] && cp -rf "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i" i=$(($i+1)) done } @@ -492,7 +505,14 @@ _restore_settings() { local i=0 for f in "$@"; do + # safety check + [ -z "$f" -o "$f" = "/" ] && continue + [ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i" + [ -d "/tmp/zapret-bkp-$i" ] && { + [ -d "$ZAPRET_TARGET/$f" ] && rm -r "$ZAPRET_TARGET/$f" + mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -r "/tmp/zapret-bkp-$i" + } i=$(($i+1)) done } @@ -500,7 +520,7 @@ backup_restore_settings() { # $1 - 1 - backup, 0 - restore local mode=$1 - on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt" + on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/sysv/custom.d" "init.d/openwrt/custom" "init.d/openwrt/custom.d" "init.d/macos/custom" "init.d/macos/custom.d" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt" } check_location() @@ -623,6 +643,7 @@ check_dns() install_systemd() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" + CUSTOM_DIR="$ZAPRET_RW/init.d/sysv" check_bins require_root @@ -650,6 +671,8 @@ _install_sysv() { # $1 - install init script + CUSTOM_DIR="$ZAPRET_RW/init.d/sysv" + check_bins require_root check_readonly_system @@ -687,6 +710,7 @@ install_openrc() install_linux() { INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret" + CUSTOM_DIR="$ZAPRET_RW/init.d/sysv" check_bins require_root @@ -757,6 +781,7 @@ deoffload_openwrt_firewall() install_openwrt() { INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret" + CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt" FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret" OPENWRT_FW_INCLUDE=/etc/firewall.zapret OPENWRT_IFACE_HOOK="$EXEDIR/init.d/openwrt/90-zapret" @@ -829,6 +854,7 @@ macos_fw_reload_trigger_set() install_macos() { INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret" + CUSTOM_DIR="$ZAPRET_RW/init.d/macos" # compile before root check_bins