readme: multiple custom docs

common/custom.sh

@@ -0,0 +1,25 @@
+custom_runner()
+{
+	# $1 - function name
+	# $2+ - params
+
+	local n script FUNC=$1
+
+	shift
+
+	[ -f "$CUSTOM_DIR/custom" ] && {
+		unset -f $FUNC
+		. "$CUSTOM_DIR/custom"
+		existf $FUNC && $FUNC "$@"
+	}
+	[ -d "$CUSTOM_DIR/custom.d" ] && {
+		n=$(ls "$CUSTOM_DIR/custom.d" | wc -c | xargs)
+		[ "$n" = 0 ] || {
+			for script in "$CUSTOM_DIR/custom.d/"*; do
+				unset -f $FUNC
+				. "$script"
+				existf $FUNC && $FUNC "$@"
+			done
+		}
+	}
+}

common/ipt.sh

@@ -437,7 +437,7 @@ zapret_do_firewall_rules_ipt()
 			fi
 			;;
 		custom)
-	    		existf zapret_custom_firewall && zapret_custom_firewall $1
+			custom_runner zapret_custom_firewall $1
 			;;
 	esac
 }

common/nft.sh

@@ -705,7 +705,7 @@ zapret_apply_firewall_rules_nft()
 			POSTNAT=$POSTNAT_SAVE
 			;;
 		custom)
-	    		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
+			custom_runner zapret_custom_firewall_nft
 			;;
 	esac
 }

common/pf.sh

@@ -106,6 +106,11 @@ pf_anchor_zapret_tables()
 
 	eval $tblv="\"\$_tbl\""
 }
+pf_nat_reorder_rules()
+{
+	# this is dirty hack to move rdr above route-to and remove route-to dups
+	sort -rfu
+}
 pf_anchor_port_target()
 {
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@@ -119,9 +124,17 @@ pf_anchor_port_target()
 
 pf_anchor_zapret_v4_tpws()
 {
-	# $1 - port
+	# $1 - tpws listen port
+	# $2 - rdr ports. defaults are used if empty
+
+	local rule port
+
+	if [ -n "$2" ]; then
+		port="{$2}"
+	else
+		port=$(pf_anchor_port_target)
+	fi
 
-	local rule port=$(pf_anchor_port_target)
 	for lan in $IFACE_LAN; do
 		for t in $tbl; do
 			 echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
@@ -144,7 +157,7 @@ pf_anchor_zapret_v4()
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
-		case $MODE in
+		case "${MODE_OVERRIDE:-$MODE}" in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
@@ -152,16 +165,24 @@ pf_anchor_zapret_v4()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
+				custom_runner zapret_custom_firewall_v4 | pf_nat_reorder_rules
 				;;
 		esac
 	}
 }
 pf_anchor_zapret_v6_tpws()
 {
-	# $1 - port
+	# $1 - tpws listen port
+	# $2 - rdr ports. defaults are used if empty
+
+	local rule LL_LAN port
+
+	if [ -n "$2" ]; then
+		port="{$2}"
+	else
+		port=$(pf_anchor_port_target)
+	fi
 
-	local LL_LAN rule port=$(pf_anchor_port_target)
 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
 		LL_LAN=$(get_ipv6_linklocal $lan)
@@ -188,7 +209,7 @@ pf_anchor_zapret_v6()
 	local tbl port
 
 	[ "$DISABLE_IPV6" = "1" ] || {
-		case $MODE in
+		case "${MODE_OVERRIDE:-$MODE}" in
 			tpws)
 				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
@@ -196,7 +217,7 @@ pf_anchor_zapret_v6()
 				;;
 			custom)
 				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
+				custom_runner zapret_custom_firewall_v6 | pf_nat_reorder_rules
 				;;
 		esac
 	}

docs/changes.txt

@@ -317,3 +317,9 @@ nfqws: multi-strategy
 v63:
 
 tpws: multi-strategy
+
+v64:
+
+blockcheck: warn if dpi bypass software is already running
+blockcheck: TPWS_EXTRA, NFQWS_EXTRA
+init.d: multiple custom scripts

docs/readme.txt

@@ -1,4 +1,4 @@
-zapret v.63
+zapret v.64
 
 English
 -------
@@ -1572,18 +1572,42 @@ nfset-ы принадлежат только одной таблице, след
 Вариант custom
 --------------
 
-custom код вынесен в отдельный shell include
+custom код вынесен в отдельные shell includes.
+Поддерживается старый вариант в
 /opt/zapret/init.d/sysv/custom
-или
 /opt/zapret/init.d/openwrt/custom
+/opt/zapret/init.d/macos/custom
+Он считается устаревшим. Актуальный вариант - помещать отдельные скрипты там же, но в директорию "custom.d".
+Она будет просканирована стандартным образом, т.е. в алфавитном порядке, и каждый скрипт будет применен.
+Рядом имеется "custom.d.examples". Это готовые скрипты, который можно копировать в "custom.d".
+Особо стоит отметить "10-inherit-*". Они наследуют стандартные режимы nfqws/tpws/tpws-socks.
+Полезно, чтобы не писать код заново. Достаточно лишь скопировать соответствующий файл.
 
-Нужно свой код вписать в функции :
+Для linux пишется код в функции
 zapret_custom_daemons
 zapret_custom_firewall
 zapret_custom_firewall_nft
 
-В файле custom пишите ваш код, пользуясь хелперами из "functions" или "zapret".
-Смотрите как там сделано добавление iptables или запуск демонов.
+Для macos
+zapret_custom_daemons
+zapret_custom_firewall_v4
+zapret_custom_firewall_v6
+
+zapret_custom_daemons поднимает демоны nfqws/tpws в нужном вам количестве и с нужными вам параметрами.
+Особо обратите внимание на номер демона в функциях "run_daemon" и "do_daemon".
+Они должны быть уникальными во всех скриптах. При накладке будет ошибка.
+Так же следует избегать пересечения номеров портов tpws и очередей nfqws.
+При пересечении какой-то из демонов не запустится.
+Чтобы как-то нивелировать эту проблему, в examples используется переменная DNUM.
+На ее базе считается диапазон номеров очередей (5 шт), которые использует этот скрипт.
+При таком подходе достаточно, чтобы DNUM был везде уникален.
+Поскольку номера очереди и портов имеют нумерацию до 65536, можно использовать DNUM до 13106.
+Однако, следует оставить номера очереди 200-299 для стандартных режимов и не использовать их.
+
+custom скрипты могут использовать переменные из config. Можно помещать в config свои переменные
+и использовать их в скриптах.
+Можно использовать функции-хелперы. Они являются частью общего пространства функций shell.
+Полезные функции можно взять из примеров скриптов. Так же смотрите "common/*.sh".
 Используя хелпер функции, вы избавитесь от необходимости учитывать все возможные случаи
 типа наличия/отсутствия ipv6, является ли система роутером, имена интерфейсов, ...
 Хелперы это учитывают, вам нужно сосредоточиться лишь на фильтрах {ip,nf}tables и
@@ -1593,13 +1617,12 @@ zapret_custom_firewall_nft
 Запуск это или остановка передается в параметре $1 (0 или 1).
 В openwrt за остановку отвечает procd.
 
-Для фаервола кастом пишется отдельно для iptables и nftables. Все очень похоже, но отличается
+Для фаервола в linux кастом пишется отдельно для iptables и nftables. Все очень похоже, но отличается
 написание фильтров и названия процедур хелперов. Если вам не нужны iptables или nftables -
 можете не писать соответствующую функцию.
 
-Готовый custom скрипт custom-tpws4http-nfqws4https позволяет применить дурение
-tpws к http и nfqws к https. При этом поддерживаются установки из config.
-Его можно использовать как стартовую точку для написания своих скриптов.
+В macos firewall-функции ничего сами никуда не заносят. Их задача - лишь выдать текст в stdout,
+содержащий правила для pf-якоря. Остальное сделает обертка.
 
 
 Простая установка

init.d/macos/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,18 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,18 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall_v4()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v4
+}
+zapret_custom_firewall_v6()
+{
+	MODE_OVERRIDE=$OVERRIDE pf_anchor_zapret_v6
+}

init.d/macos/custom.d.examples/50-extra-tpws

@@ -1,16 +1,20 @@
 # this script is an example describing how to run tpws on a custom port
 
-TPPORT_MY=987
+DNUM=100
+TPPORT_MY=${TPPORT_MY:-987}
+TPWS_OPT_MY=${TPWS_OPT_MY:-987}
+TPWS_OPT_SUFFIX_MY="${TPWS_OPT_SUFFIX_MY:-}"
+DPORTS_MY=${DPORTS_MY:-20443,20444,30000-30009}
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt="--user=root --port=$TPPORT_MY"
 	tpws_apply_binds opt
-	opt="$opt $TPWS_OPT"
+	opt="$opt $TPWS_OPT_MY"
 	filter_apply_hostlist_target opt
-	filter_apply_suffix opt "$TPWS_OPT_SUFFIX"
-	do_daemon $1 1 "$TPWS" "$opt"
+	filter_apply_suffix opt "$TPWS_OPT_SUFFIX_MY"
+	do_daemon $1 $DNUM "$TPWS" "$opt"
 }
 
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
@@ -18,9 +22,9 @@ zapret_custom_daemons()
 
 zapret_custom_firewall_v4()
 {
-	pf_anchor_zapret_v4_tpws $TPPORT_MY
+	pf_anchor_zapret_v4_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
 }
 zapret_custom_firewall_v6()
 {
-	pf_anchor_zapret_v6_tpws $TPPORT_MY
+	pf_anchor_zapret_v6_tpws $TPPORT_MY $(replace_char - : $DPORTS_MY)
 }

init.d/macos/custom.default

@@ -1,21 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-	:
-}
-
-# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
-# they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-
-zapret_custom_firewall_v4()
-{
-	:
-}
-zapret_custom_firewall_v6()
-{
-	:
-}

init.d/macos/functions

@@ -7,6 +7,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/base.sh"
 . "$ZAPRET_BASE/common/pf.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 IPSET_DIR=$ZAPRET_BASE/ipset
 . "$IPSET_DIR/def.sh"
@@ -184,7 +186,7 @@ zapret_do_daemons()
 		filter)
 			;;
 		custom)
-			existf zapret_custom_daemons && zapret_custom_daemons $1
+			custom_runner zapret_custom_daemons $1
 			;;
 		*)
 			echo "unsupported MODE=$MODE"

init.d/openwrt/custom-reuse-builtin-mode

@@ -1,47 +0,0 @@
-# this custom script demonstrates how to reuse built-in modes and add something from yourself
-
-MY_TPPORT=$(($TPPORT + 1))
-MY_TPWS_OPT="--methodeol --hostcase"
-MY_DPORT=81
-
-zapret_custom_daemons()
-{
-	# stop logic is managed by procd
-
-	local MODE_OVERRIDE=tpws
-	local opt
-
-	start_daemons_procd
-
-	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
-	filter_apply_hostlist_target opt
-	run_tpws 100 "$opt"
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_do_firewall_rules_ipt $1
-
-	f4="-p tcp --dport $MY_DPORT"
-	f6=$f4
-	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_apply_firewall_rules_nft
-
-	f4="tcp dport $MY_DPORT"
-	f6=$f4
-	nft_filter_apply_ipset_target f4 f6
-	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
-}

init.d/openwrt/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+        # stop logic is managed by procd
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE start_daemons_procd
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/openwrt/custom.d.examples/50-dht4all

@@ -1,31 +1,24 @@
-# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-QNUM2=$(($QNUM+20))
+DNUM=101
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local MODE_OVERRIDE=nfqws
-        local opt
-
-        zapret_do_daemons $1
-
-        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	do_nfqws $1 100 "$opt"
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	run_daemon $DNUM $NFQWS "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
-        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-        zapret_do_firewall_rules_ipt $1
-
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
@@ -36,13 +29,10 @@ zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
-        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
-        zapret_apply_firewall_rules_nft
-
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }

init.d/openwrt/custom.d.examples/50-quic4all

@@ -1,32 +1,25 @@
-# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-QNUM2=$(($QNUM+10))
+DNUM=102
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
-	local opt
-
-	zapret_do_daemons $1
-
-	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	do_nfqws $1 100 "$opt"
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	run_daemon $DNUM $NFQWS "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-	zapret_do_firewall_rules_ipt $1
-
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -35,13 +28,10 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
-	zapret_apply_firewall_rules_nft
-
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/openwrt/custom.d.examples/50-tpws4http-nfqws4https

@@ -3,7 +3,7 @@
 
 zapret_custom_daemons()
 {
-	# stop logic is managed by procd
+	# $1 - 1 - run, 0 - stop
 
 	local opt
 
@@ -15,7 +15,7 @@ zapret_custom_daemons()
 	}
 
 	[ "$MODE_HTTPS" = "1" ] && {
-		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
+		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
 		filter_apply_suffix opt "$NFQWS_OPT_DESYNC_HTTPS_SUFFIX"
 		run_daemon 2 $NFQWS "$opt"
@@ -41,6 +41,8 @@ zapret_custom_firewall()
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		# for modes that require incoming traffic
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
 	}
 }
 zapret_custom_firewall_nft()

init.d/openwrt/custom.default

@@ -1,33 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file and "zapret" init script
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# stop logic is managed by procd
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Start daemon\(s\)
-	echo Study how other sections work
-
-	run_daemon 1 /bin/sleep 20
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure iptables for required actions
-	echo Study how other sections work
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure nftables for required actions
-	echo Study how other sections work
-}

init.d/openwrt/functions

@@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 
 [ -n "$QNUM" ] || QNUM=200
 [ -n "$TPPORT" ] || TPPORT=988
@@ -27,9 +29,6 @@ LINKLOCAL_WAIT_SEC=5
 
 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"
 
-CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/openwrt/custom"
-[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 

init.d/openwrt/zapret

@@ -173,7 +173,7 @@ start_daemons_procd()
 			}
 			;;
 		custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+	    		custom_runner zapret_custom_daemons $1
 			;;
 	esac
 

init.d/sysv/custom-reuse-builtin-mode

@@ -1,47 +0,0 @@
-# this custom script demonstrates how to reuse built-in modes and add something from yourself
-
-MY_TPPORT=$(($TPPORT + 1))
-MY_TPWS_OPT="--methodeol --hostcase"
-MY_DPORT=81
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local opt
-
-	zapret_do_daemons $1
-
-	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
-	filter_apply_hostlist_target opt
-	do_tpws $1 100 "$opt"
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_do_firewall_rules_ipt $1
-
-	f4="-p tcp --dport $MY_DPORT"
-	f6=$f4
-	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
-}
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	local MODE_OVERRIDE=tpws
-	local f4 f6
-
-	zapret_apply_firewall_rules_nft
-
-	f4="tcp dport $MY_DPORT"
-	f6=$f4
-	nft_filter_apply_ipset_target f4 f6
-	nft_fw_tpws "$f4" "$f6" $MY_TPPORT
-}

init.d/sysv/custom.d.examples/10-inherit-nfqws

@@ -0,0 +1,22 @@
+# this custom script applies nfqws mode as it would be with MODE=nfqws
+
+OVERRIDE=nfqws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws

@@ -0,0 +1,22 @@
+# this custom script applies tpws mode as it would be with MODE=tpws
+
+OVERRIDE=tpws
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/10-inherit-tpws-socks

@@ -0,0 +1,22 @@
+# this custom script applies tpws-socks mode as it would be with MODE=tpws-socks
+
+OVERRIDE=tpws-socks
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_daemons $1
+}
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	MODE_OVERRIDE=$OVERRIDE zapret_do_firewall_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	MODE_OVERRIDE=$OVERRIDE zapret_apply_firewall_rules_nft
+}

init.d/sysv/custom.d.examples/50-dht4all

@@ -1,47 +1,39 @@
-# this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
+# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
 
-QNUM2=$(($QNUM+20))
+DNUM=101
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
         # stop logic is managed by procd
 
-        local MODE_OVERRIDE=nfqws
-        local opt
-
-        start_daemons_procd
-
-        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        run_daemon 100 $NFQWS "$opt"
+        local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+	do_nfqws $1 $DNUM "$opt"
 }
 zapret_custom_firewall()
 {
         # $1 - 1 - run, 0 - stop
 
-        local MODE_OVERRIDE=nfqws
         local f uf4 uf6
         local first_packet_only="$ipt_connbytes 1:1"
         local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-        zapret_do_firewall_rules_ipt $1
-
         f='-p udp -m length --length 109:407 -m u32 --u32'
 	uf4='0>>22&0x3C@8>>16=0x6431'
 	uf6='48>>16=0x6431'
         fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+
 }
 zapret_custom_firewall_nft()
 {
         # stop logic is not required
 
-        local MODE_OVERRIDE=nfqws
         local f
         local first_packet_only="$nft_connbytes 1"
         local desync="mark and $DESYNC_MARK == 0"
 
-        zapret_apply_firewall_rules_nft
-
         f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
         nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }
+

init.d/sysv/custom.d.examples/50-quic4all

@@ -1,32 +1,25 @@
-# this custom script in addition to MODE=nfqws runs desync to all QUIC initial packets, without ipset/hostlist filtering
+# this custom script runs desync to all QUIC initial packets, without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
 
-QNUM2=$(($QNUM+10))
+DNUM=102
+QNUM2=$(($DNUM * 5))
 
 zapret_custom_daemons()
 {
-	# stop logic is managed by procd
+	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
-	local opt
-
-	start_daemons_procd
-
-	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	run_daemon 100 $NFQWS "$opt"
+	local opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+	do_nfqws $1 $DNUM "$opt"
 }
 zapret_custom_firewall()
 {
 	# $1 - 1 - run, 0 - stop
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
 
-	zapret_do_firewall_rules_ipt $1
-
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
 	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 
@@ -35,13 +28,10 @@ zapret_custom_firewall_nft()
 {
 	# stop logic is not required
 
-	local MODE_OVERRIDE=nfqws
 	local f
 	local first_packets_only="$nft_connbytes 1-3"
 	local desync="mark and $DESYNC_MARK == 0"
 
-	zapret_apply_firewall_rules_nft
-
 	f="udp dport {$QUIC_PORTS}"
 	nft_fw_nfqws_post "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }

init.d/sysv/custom.default

@@ -1,34 +0,0 @@
-# this script contain your special code to launch daemons and configure firewall
-# use helpers from "functions" file
-# in case of upgrade keep this file only, do not modify others
-
-zapret_custom_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Start daemon\(s\)
-	echo Study how other sections work
-
-	do_daemon $1 1 /bin/sleep 20
-}
-zapret_custom_firewall()
-{
-	# $1 - 1 - run, 0 - stop
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure iptables for required actions
-	echo Study how other sections work
-}
-
-zapret_custom_firewall_nft()
-{
-	# stop logic is not required
-
-	# PLACEHOLDER
-	echo !!! NEED ATTENTION !!!
-	echo Configure nftables for required actions
-	echo Study how other sections work
-}

init.d/sysv/functions

@@ -12,6 +12,8 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
+. "$ZAPRET_BASE/common/custom.sh"
+CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 
 user_exists()
@@ -91,9 +93,6 @@ TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=
 # max wait time for the link local ipv6 on the LAN interface
 LINKLOCAL_WAIT_SEC=5
 
-CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
-[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 
@@ -341,7 +340,7 @@ zapret_do_daemons()
 			}
 			;;
 		custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+			custom_runner zapret_custom_daemons $1
 			;;
 	esac
 

install_bin.sh

@@ -29,11 +29,11 @@ check_dir()
 			fi
 			[ -n "$out" ]
 		else
-			echo "$exe is not executable. set proper chmod."
+			echo >&2 "$exe is not executable. set proper chmod."
 			return 1
 		fi
 	else
-		echo "$exe is absent"
+		echo >&2 "$exe is absent"
 		return 2
 	fi
 }

install_easy.sh

@@ -138,6 +138,15 @@ select_mode_mode()
 			echo ..edited..
 		done
 	}
+	[ "$MODE" = custom ] && {
+		echo
+		echo "current custom scripts :"
+		[ -f "$CUSTOM_DIR/custom" ] && echo "legacy custom script $CUSTOM_DIR/custom"
+		echo "$CUSTOM_DIR/custom.d :"
+		[ -d "$CUSTOM_DIR/custom.d" ] && ls "$CUSTOM_DIR/custom.d"
+		echo "Make sure this is ok"
+		echo
+	}
 }
 select_mode_http()
 {
@@ -393,7 +402,7 @@ default_files()
 	for dir in openwrt sysv macos; do
 		[ -d "$1/init.d/$dir" ] && {
 			[ -d "$2/init.d/$dir" ] || mkdir -p "$2/init.d/$dir"
-			[ -f "$2/init.d/$dir/custom" ] || cp "$1/init.d/$dir/custom.default" "$2/init.d/$dir/custom"
+			[ -d "$2/init.d/$dir/custom.d" ] || mkdir -p "$2/init.d/$dir/custom.d"
 		}
 	done
 }
@@ -484,7 +493,11 @@ _backup_settings()
 {
 	local i=0
 	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
 		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
+		[ -d "$ZAPRET_TARGET/$f" ] && cp -rf "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
 		i=$(($i+1))
 	done
 }
@@ -492,7 +505,14 @@ _restore_settings()
 {
 	local i=0
 	for f in "$@"; do
+		# safety check
+		[ -z "$f" -o "$f" = "/" ] && continue
+
 		[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
+		[ -d "/tmp/zapret-bkp-$i" ] && {
+			[ -d "$ZAPRET_TARGET/$f" ] && rm -r "$ZAPRET_TARGET/$f"
+			mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -r "/tmp/zapret-bkp-$i"
+		}
 		i=$(($i+1))
 	done
 }
@@ -500,7 +520,7 @@ backup_restore_settings()
 {
 	# $1 - 1 - backup, 0 - restore
 	local mode=$1
-	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/sysv/custom.d" "init.d/openwrt/custom" "init.d/openwrt/custom.d" "init.d/macos/custom" "init.d/macos/custom.d" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
 }
 
 check_location()
@@ -623,6 +643,7 @@ check_dns()
 install_systemd()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -650,6 +671,8 @@ _install_sysv()
 {
 	# $1 - install init script
 
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
+
 	check_bins
 	require_root
 	check_readonly_system
@@ -687,6 +710,7 @@ install_openrc()
 install_linux()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
 
 	check_bins
 	require_root
@@ -757,6 +781,7 @@ deoffload_openwrt_firewall()
 install_openwrt()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
 	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
 	OPENWRT_IFACE_HOOK="$EXEDIR/init.d/openwrt/90-zapret"
@@ -829,6 +854,7 @@ macos_fw_reload_trigger_set()
 install_macos()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
+	CUSTOM_DIR="$ZAPRET_RW/init.d/macos"
 
 	# compile before root
 	check_bins

ipset/create_ipset.sh

@@ -4,12 +4,12 @@
 # $1=no-update    - do not update ipset, only create if its absent
 # $1=clear        - clear ipset
 
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
 
-. "$IPSET_DIR/def.sh"
-. "$IPSET_DIR/../common/fwtype.sh"
-. "$IPSET_DIR/../common/nft.sh"
+. "$EXEDIR/def.sh"
+. "$ZAPRET_BASE/common/fwtype.sh"
+. "$ZAPRET_BASE/common/nft.sh"
 
 IPSET_CMD="$TMPDIR/ipset_cmd.txt"
 IPSET_SAVERAM_CHUNK_SIZE=20000
@@ -119,13 +119,12 @@ nfset_get_script_multi()
 	local set=$1 nonempty N=1 f
 	
 	shift
-
 	# first we need to make sure at least one element exists or nft will fail
 	while :
 	do
 		eval f=\$$N
 		[ -n "$f" ] || break
-		nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1)
+		nonempty=$(zzexist "$f" && zzcat "$f" 2>/dev/null | head -n 1)
 		[ -n "$nonempty" ] && break
 		N=$(($N+1))
 	done

ipset/def.sh

@@ -1,10 +1,12 @@
-[ -n "$IPSET_DIR" ] || {
- IPSET_DIR="$(dirname "$0")"
- IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-}
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+ZAPRET_BASE=${ZAPRET_BASE:-"$(cd "$EXEDIR/.."; pwd)"}
+ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
+ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
+IPSET_RW_DIR="$ZAPRET_RW/ipset"
 
-. "$IPSET_DIR/../config"
-. "$IPSET_DIR/../common/base.sh"
+. "$ZAPRET_CONFIG"
+. "$ZAPRET_BASE/common/base.sh"
 
 [ -z "$TMPDIR" ] && TMPDIR=/tmp
 [ -z "$GZIP_LISTS" ] && GZIP_LISTS=1
@@ -21,27 +23,27 @@ ZIPSET=zapret
 ZIPSET6=zapret6
 ZIPSET_EXCLUDE=nozapret
 ZIPSET_EXCLUDE6=nozapret6
-ZIPLIST="$IPSET_DIR/zapret-ip.txt"
-ZIPLIST6="$IPSET_DIR/zapret-ip6.txt"
-ZIPLIST_EXCLUDE="$IPSET_DIR/zapret-ip-exclude.txt"
-ZIPLIST_EXCLUDE6="$IPSET_DIR/zapret-ip-exclude6.txt"
-ZIPLIST_USER="$IPSET_DIR/zapret-ip-user.txt"
-ZIPLIST_USER6="$IPSET_DIR/zapret-ip-user6.txt"
-ZUSERLIST="$IPSET_DIR/zapret-hosts-user.txt"
-ZHOSTLIST="$IPSET_DIR/zapret-hosts.txt"
+ZIPLIST="$IPSET_RW_DIR/zapret-ip.txt"
+ZIPLIST6="$IPSET_RW_DIR/zapret-ip6.txt"
+ZIPLIST_EXCLUDE="$IPSET_RW_DIR/zapret-ip-exclude.txt"
+ZIPLIST_EXCLUDE6="$IPSET_RW_DIR/zapret-ip-exclude6.txt"
+ZIPLIST_USER="$IPSET_RW_DIR/zapret-ip-user.txt"
+ZIPLIST_USER6="$IPSET_RW_DIR/zapret-ip-user6.txt"
+ZUSERLIST="$IPSET_RW_DIR/zapret-hosts-user.txt"
+ZHOSTLIST="$IPSET_RW_DIR/zapret-hosts.txt"
 
 ZIPSET_IPBAN=ipban
 ZIPSET_IPBAN6=ipban6
-ZIPLIST_IPBAN="$IPSET_DIR/zapret-ip-ipban.txt"
-ZIPLIST_IPBAN6="$IPSET_DIR/zapret-ip-ipban6.txt"
-ZIPLIST_USER_IPBAN="$IPSET_DIR/zapret-ip-user-ipban.txt"
-ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt"
-ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt"
-ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt"
+ZIPLIST_IPBAN="$IPSET_RW_DIR/zapret-ip-ipban.txt"
+ZIPLIST_IPBAN6="$IPSET_RW_DIR/zapret-ip-ipban6.txt"
+ZIPLIST_USER_IPBAN="$IPSET_RW_DIR/zapret-ip-user-ipban.txt"
+ZIPLIST_USER_IPBAN6="$IPSET_RW_DIR/zapret-ip-user-ipban6.txt"
+ZUSERLIST_IPBAN="$IPSET_RW_DIR/zapret-hosts-user-ipban.txt"
+ZUSERLIST_EXCLUDE="$IPSET_RW_DIR/zapret-hosts-user-exclude.txt"
 
 
-[ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net"
-[ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig"
+[ -n "$IP2NET" ] || IP2NET="$ZAPRET_BASE/ip2net/ip2net"
+[ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig"
 [ -z "$MDIG_THREADS" ] && MDIG_THREADS=30
 
 

nfq/desync.c

@@ -630,7 +630,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			dp = ctrack->dp;
 			ctrack_replay = ctrack;
-			maybe_cutoff(ctrack, IPPROTO_TCP);
 		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
@@ -648,6 +647,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("matching desync profile not found\n");
 			return verdict;
 		}
+		maybe_cutoff(ctrack, IPPROTO_TCP);
 
 		HostFailPoolPurgeRateLimited(&dp->hostlist_auto_fail_counters);
 
@@ -1435,7 +1435,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			dp = ctrack->dp;
 			ctrack_replay = ctrack;
-			maybe_cutoff(ctrack, IPPROTO_UDP);
 		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
@@ -1453,6 +1452,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG("matching desync profile not found\n");
 			return verdict;
 		}
+		maybe_cutoff(ctrack, IPPROTO_UDP);
 
 		HostFailPoolPurgeRateLimited(&dp->hostlist_auto_fail_counters);
 		//ConntrackPoolDump(&params.conntrack);