feat: keenetic support

common/installer.sh

@@ -107,6 +107,8 @@ check_system()
 		}
 		elif openrc_test; then
 			SYSTEM=openrc
+		elif [ -f "/bin/ndm" ]; then
+			SYSTEM=keenetic
 		else
 			echo system is not either systemd, openrc or openwrt based
 			echo easy installer can set up config settings but can\'t configure auto start
@@ -202,6 +204,9 @@ cron_ensure_running()
 		/etc/init.d/cron enable
 		/etc/init.d/cron start
 	}
+	[ "$SYSTEM" = "keenetic" ] && {
+		/opt/etc/init.d/S10cron start
+	}
 }
 
 
@@ -462,3 +467,43 @@ remove_macos_firewall()
 	pf_anchor_root_del
 	pf_anchor_root_reload
 }
+
+install_keenetic_netfilter_hook()
+{
+		echo \* installing netfilter hook
+
+		[ -n "MODE" ] || {
+			echo "should specify MODE in $ZAPRET_CONFIG"
+			exitp 7
+		}
+
+		echo "linking : $KEENETIC_NETFILTER_HOOK_SRC => $KEENETIC_NETFILTER_HOOK_DST"
+		ln -fs "$KEENETIC_NETFILTER_HOOK_SRC" "$KEENETIC_NETFILTER_HOOK_DST"
+}
+
+remove_keenetic_netfilter_hook()
+{
+	rm -f "$KEENETIC_NETFILTER_HOOK_DST"
+}
+
+service_install_keenetic()
+{
+	echo \* installing zapret service
+
+	ln -sf "$ZAPRET_BASE/init.d/keenetic/zapret" /opt/etc/init.d/S99zapret
+}
+
+service_start_keenetic()
+{
+	echo \* starting zapret service
+
+	"$INIT_SCRIPT_SRC" start
+}
+
+service_remove_keenetic()
+{
+	echo \* removing zapret service
+
+	rm -f /opt/etc/init.d/S99zapret
+	zapret_stop_daemons
+}

init.d/keenetic/custom

@@ -0,0 +1,34 @@
+# this script contain your special code to launch daemons and configure firewall
+# use helpers from "functions" file
+# in case of upgrade keep this file only, do not modify others
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Start daemon\(s\)
+	echo Study how other sections work
+
+	do_daemon $1 1 /bin/sleep 20
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure iptables for required actions
+	echo Study how other sections work
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	# PLACEHOLDER
+	echo !!! NEED ATTENTION !!!
+	echo Configure nftables for required actions
+	echo Study how other sections work
+}

init.d/keenetic/custom-nfqws-quic4all

@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
+# russian TSPU version  : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-fake-quic=/opt/zapret/files/fake/quic_short_header.bin"
+# NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
+
+QNUM2=$(($QNUM+10))
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=nfqws
+	local opt
+
+	zapret_do_daemons $1
+
+	opt="--qnum=$QNUM2 $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 100 "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=nfqws
+	local f
+	local first_packets_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:3"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	zapret_do_firewall_rules_ipt $1
+
+	f="-p udp --dport 443"
+	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+  fw_nfqws_quic $1 "$f -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local MODE_OVERRIDE=nfqws
+	local f
+	local first_packets_only="ct original packets 1-3"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	zapret_apply_firewall_rules_nft
+
+	f="udp dport 443"
+	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+	nft_fw_nfqws_quic "$f mark and $DESYNC_MARK == $DESYNC_MARK"
+}

init.d/keenetic/custom-reuse-builtin-mode

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# this custom script demonstrates how to reuse built-in modes and add something from yourself
+
+MY_TPPORT=$(($TPPORT + 1))
+MY_TPWS_OPT="--methodeol --hostcase"
+MY_DPORT=81
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=tpws
+	local opt
+
+	zapret_do_daemons $1
+
+	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
+	filter_apply_hostlist_target opt
+	do_tpws $1 100 "$opt"
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_do_firewall_rules_ipt $1
+
+	f4="-p tcp --dport $MY_DPORT"
+	f6=$f4
+	filter_apply_ipset_target f4 f6
+	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local MODE_OVERRIDE=tpws
+	local f4 f6
+
+	zapret_apply_firewall_rules_nft
+
+	f4="tcp dport $MY_DPORT"
+	f6=$f4
+	nft_filter_apply_ipset_target f4 f6
+	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
+}

init.d/keenetic/custom-tpws4http-nfqws4https

@@ -0,0 +1,69 @@
+#!/bin/sh
+
+# this custom script demonstrates how to apply tpws to http and nfqws to https
+# it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt
+
+	[ "$MODE_HTTP" = "1" ] && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws $1 1 "$opt"
+	}
+
+	[ "$MODE_HTTPS" = "1" ] && {
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
+		filter_apply_hostlist_target opt
+		do_nfqws $1 2 "$opt"
+	}
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6
+	local first_packet_only="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:4"
+	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="-p tcp --dport 80"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_tpws $1 "$f4" "$f6" $TPPORT
+	}
+
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="-p tcp --dport 443 $first_packet_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		fw_nfqws_quic $1 "$f4 -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+	}
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f4 f6
+	local first_packet_only="ct original packets 1-4"
+	local desync="mark and $DESYNC_MARK == 0"
+
+	[ "$MODE_HTTP" = "1" ] && {
+		f4="tcp dport 80"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_tpws "$f4" "$f6" $TPPORT
+	}
+
+	[ "$MODE_HTTPS" = "1" ] && {
+		f4="tcp dport 443 $first_packet_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		nft_fw_nfqws_quic $1 "$f4 mark and $DESYNC_MARK == $DESYNC_MARK"
+	}
+}

init.d/keenetic/functions

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+EXEDIR=$(dirname "$SCRIPT")
+ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+. "$ZAPRET_BASE/init.d/sysv/functions"
+
+CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/keenetic/custom"
+[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
+
+load_kmod()
+{
+	if lsmod | grep "$1" &> /dev/null ;  then
+		echo "$1.ko is already loaded"
+	else
+		if insmod "/lib/modules/$(uname -r)/$1.ko" &> /dev/null; then
+			echo "$1.ko loaded"
+		else
+			echo "Cannot find $1.ko kernel module, aborting"
+			exit 1
+		fi
+	fi
+}
+
+# Fix local source ip issue when quic packets were sent with raw sockets (no Keenetic-specific iptable marks were applied)
+fw_nfqws_quic()
+{
+		# $1 - 1 - add, 0 - del
+		# $2 - iptable filter
+
+		ipt_print_op $1 "$2" "nfqws quic masquerade"
+
+		rule="$2 -d 0/0 -j MASQUERADE"
+		if [ -n "$IFACE_WAN" ] ; then
+			for wan in $IFACE_WAN; do
+				ipt_add_del $1 POSTROUTING -t nat -o $wan $rule
+			done
+		else
+			ipt_add_del $1 POSTROUTING -t nat $rule
+		fi
+}
+
+nft_fw_nfqws_quic()
+{
+	echo "Quic through nft is not supported"
+}

init.d/keenetic/netfilter.hook.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+[ "$type" == "ip6tables" ] && exit 0
+[ "$table" != "mangle" ] && exit 0
+
+SCRIPT=$(readlink /opt/etc/init.d/S99zapret)
+if [ -n "$SCRIPT" ]; then
+	EXEDIR=$(dirname "$SCRIPT")
+	ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+else
+	ZAPRET_BASE=/opt/zapret
+fi
+
+. "$EXEDIR/functions"
+
+case $MODE in
+	nfqws|twps|custom)
+		zapret_apply_firewall
+	;;
+esac

init.d/keenetic/zapret

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+EXEDIR=$(dirname "$SCRIPT")
+ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+. "$EXEDIR/functions"
+
+do_start()
+{
+	sysctl -w "net.netfilter.nf_conntrack_checksum=0"
+	load_kmod xt_string
+	load_kmod xt_NFQUEUE
+	load_kmod xt_multiport
+	load_kmod xt_owner
+	load_kmod xt_connbytes
+	zapret_run_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
+}
+do_stop()
+{
+	sysctl -w "net.netfilter.nf_conntrack_checksum=1"
+	zapret_stop_daemons
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+}
+
+case $1 in
+		start)
+				do_start
+				;;
+		stop|kill)
+				do_stop
+				;;
+	restart)
+		"$0" stop
+		"$0" start
+		;;
+		*)
+				echo -e "Usage: $0 (start|stop|restart)" >&2
+				exit 1
+				;;
+esac
+
+exit 0

install_easy.sh

@@ -964,6 +964,105 @@ install_macos()
 	service_start_macos
 }
 
+check_prerequisites_keenetic()
+{
+	echo \* checking prerequisites
+
+	local PKGS="curl" PKGS UPD=0
+
+	case "$FWTYPE" in
+		iptables)
+			PKGS="$PKGS"
+			[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS"
+			;;
+		nftables)
+			PKGS="$PKGS"
+			[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS"
+			;;
+	esac
+
+	if check_packages_openwrt $PKGS ; then
+		echo everything is present
+	else
+		echo \* installing prerequisites
+
+		opkg update
+		UPD=1
+		opkg install $PKGS || {
+			echo could not install prerequisites
+			exitp 6
+		}
+	fi
+
+	is_linked_to_busybox gzip && {
+		echo
+		echo your system uses default busybox gzip. its several times slower than GNU gzip.
+		echo ip/host list scripts will run much faster with GNU gzip
+		echo installer can install GNU gzip but it requires about 100 Kb space
+		if ask_yes_no N "do you want to install GNU gzip"; then
+			[ "$UPD" = "0" ] && {
+				opkg update
+				UPD=1
+			}
+			opkg install --force-overwrite gzip
+		fi
+	}
+	is_linked_to_busybox sort && {
+		echo
+		echo your system uses default busybox sort. its much slower and consumes much more RAM than GNU sort
+		echo ip/host list scripts will run much faster with GNU sort
+		echo installer can install GNU sort but it requires about 100 Kb space
+		if ask_yes_no N "do you want to install GNU sort"; then
+			[ "$UPD" = "0" ] && {
+				opkg update
+				UPD=1
+			}
+			opkg install --force-overwrite coreutils-sort
+		fi
+	}
+	is_linked_to_busybox grep && {
+		echo
+		echo your system uses default busybox grep. its damn infinite slow with -f option
+		echo get_combined.sh will be severely impacted
+		echo installer can install GNU grep but it requires about 0.5 Mb space
+		if ask_yes_no N "do you want to install GNU grep"; then
+			[ "$UPD" = "0" ] && {
+				opkg update
+				UPD=1
+			}
+			opkg install --force-overwrite grep
+
+			# someone reported device partially fail if /bin/grep is absent
+			# grep package deletes /bin/grep
+			[ -f /bin/grep ] || ln -s busybox /bin/grep
+		fi
+	}
+}
+
+install_keenetic()
+{
+  INIT_SCRIPT_SRC="$EXEDIR/init.d/keenetic/zapret"
+  KEENETIC_NETFILTER_HOOK_SRC="$EXEDIR/init.d/keenetic/netfilter.hook.sh"
+  KEENETIC_NETFILTER_HOOK_DST=/opt/etc/ndm/netfilter.d/zapret.sh
+
+  check_bins
+  require_root
+  check_location copy_all
+  install_binaries
+  check_dns
+  select_fwtype
+  check_prerequisites_keenetic
+  select_ipv6
+  ask_config
+  ask_config_offload
+  service_install_keenetic
+  download_list
+  crontab_del_quiet
+  crontab_add 0 6
+  cron_ensure_running
+  install_keenetic_netfilter_hook
+  service_start_keenetic
+}
 
 # build binaries, do not use precompiled
 [ "$1" = "make" ] && FORCE_BUILD=1
@@ -986,6 +1085,9 @@ case $SYSTEM in
 	openwrt)
 		install_openwrt
 		;;
+	keenetic)
+		install_keenetic
+		;;
 	macos)
 		install_macos
 		;;

uninstall_easy.sh

@@ -73,6 +73,17 @@ remove_macos()
 	crontab_del
 }
 
+remove_keenetic()
+{
+  KEENETIC_NETFILTER_HOOK_DST=/opt/etc/ndm/netfilter.d/zapret.sh
+
+  clear_ipset
+  remove_keenetic_netfilter_hook
+  service_remove_keenetic
+  nft_del_table
+  crontab_del
+}
+
 
 fix_sbin_path
 check_system
@@ -96,6 +107,9 @@ case $SYSTEM in
 	macos)
 		remove_macos
 		;;
+	keenetic)
+		remove_keenetic
+		;;
 esac