separate desync options for http and https

init.d/sysv/functions

@@ -12,7 +12,9 @@ WS_USER=tpws
 
 [ -n "$QNUM" ] || QNUM=200
 NFQWS="$ZAPRET_BASE/nfq/nfqws"
-NFQWS_OPT_BASE="--qnum=$QNUM --user=$WS_USER"
+NFQWS_OPT_BASE="--user=$WS_USER --dpi-desync-fwmark=$DESYNC_MARK"
+NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
+NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
 
 [ -n "$TPPORT" ] || TPPORT=988
 TPWS="$ZAPRET_BASE/tpws/tpws"
@@ -21,7 +23,7 @@ HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt.gz"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts.txt"
 [ -f "$HOSTLIST" ] || HOSTLIST="$ZAPRET_BASE/ipset/zapret-hosts-user.txt"
 
-TPWS_OPT_BASE="--user=$WS_USER --port=$TPPORT"
+TPWS_OPT_BASE="--user=$WS_USER"
 TPWS_OPT_BASE4="--bind-addr=$TPWS_LOCALHOST4"
 TPWS_OPT_BASE6="--bind-addr=::1"
 TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
@@ -29,6 +31,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
 TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
 
+
 [ -n "$IFACE_WAN" ] && IPT_OWAN="-o $IFACE_WAN"
 [ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
 [ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
@@ -214,7 +217,7 @@ fw_tpws4()
 	# $3 - tpws port
 	[ "$DISABLE_IPV4" = "1" ] || {
 		[ "$1" = 1 ] && prepare_tpws_fw4
-		print_op $1 "$2" "tpws"
+		print_op $1 "$2" "tpws (port $3)"
 		[ -n "$IFACE_LAN" ] && {
 			ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3
 	 	}
@@ -227,7 +230,7 @@ fw_tpws6()
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "tpws" 6
+		print_op $1 "$2" "tpws (port $3)" 6
 		[ -n "$IFACE_LAN" ] && {
 			dnat6_target
 			[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 $IPSET_EXCLUDE6 dst -j DNAT --to [$DNAT6_TARGET]:$3
@@ -252,7 +255,7 @@ fw_nfqws_pre4()
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
 	[ "$DISABLE_IPV4" = "1" ] || {
-		print_op $1 "$2" "nfqws prerouting"
+		print_op $1 "$2" "nfqws prerouting (qnum $3)"
 		ipt_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@@ -262,7 +265,7 @@ fw_nfqws_pre6()
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "nfqws prerouting" 6
+		print_op $1 "$2" "nfqws prerouting (qnum $3)" 6
 		ipt6_add_del $1 PREROUTING -t mangle $IPT_IWAN -p tcp $2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@@ -281,7 +284,7 @@ fw_nfqws_post4()
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
 	[ "$DISABLE_IPV4" = "1" ] || {
-		print_op $1 "$2" "nfqws postrouting"
+		print_op $1 "$2" "nfqws postrouting (qnum $3)"
 		ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@@ -291,7 +294,7 @@ fw_nfqws_post6()
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
 	[ "$DISABLE_IPV6" = "1" ] || {
-		print_op $1 "$2" "nfqws postrouting" 6
+		print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
 		ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass
 	}
 }
@@ -458,6 +461,7 @@ zapret_do_firewall()
 	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 	local f4 f6
+	local qn
 
 	# always create ipsets. ip_exclude ipset is required
 	[ "$1" != "1" ] || create_ipset no-update
@@ -478,9 +482,16 @@ zapret_do_firewall()
 			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
 				echo both http and https are disabled. not applying redirection.
 			else
-				if [ "$MODE_HTTP_KEEPALIVE" = "1" ]; then
+				if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
+					filter_apply_port_target f4
+					f4="$f4 $first_packet_only"
+					f6=$f4
+					filter_apply_ipset_target f4 f6
+					fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+				else
 					if [ "$MODE_HTTP" = "1" ]; then
 						f4="--dport 80"
+						[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
 						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
@@ -489,14 +500,10 @@ zapret_do_firewall()
 						f4="--dport 443 $first_packet_only"
 						f6=$f4
 						filter_apply_ipset_target f4 f6
-						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+						qn=$QNUM
+						[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || qn=$(($QNUM+1))
+						fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $qn
 					fi
-				else
-					filter_apply_port_target f4
-					f4="$f4 $first_packet_only"
-					f6=$f4
-					filter_apply_ipset_target f4 f6
-					fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
 				fi
 			fi
 			;;
@@ -523,20 +530,25 @@ zapret_do_daemons()
 
 	case "${MODE}" in
 		tpws)
-			opt="$TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT"
 			filter_apply_hostlist_target opt
 			do_tpws $1 1 "$opt"
 			;;
 		tpws-socks)
-			opt="$TPWS_OPT_BASE --socks $TPWS_OPT"
+			opt="--port=$TPPORT $TPWS_OPT_BASE --socks $TPWS_OPT"
 			tpws_apply_socks_binds opt
 			filter_apply_hostlist_target opt
 			do_daemon $1 1 "$TPWS" "$opt"
 			;;
 		nfqws)
-			opt="$NFQWS_OPT_DESYNC"
+			opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
 			do_nfqws $1 1 "$opt"
+			[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || {
+				opt="--qnum=$(($QNUM+1)) $NFQWS_OPT_DESYNC_HTTPS"
+				filter_apply_hostlist_target opt
+				do_nfqws $1 2 "$opt"
+			}
 			;;
 		custom)
 	    		existf zapret_custom_daemons && zapret_custom_daemons $1