drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-20 22:12:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: drygdryg:67e1aee8a81d710409864a6a555a3effea1707e2
Branches Tags
drygdryg:master
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64
..
compare: drygdryg:e5e53db6b800bc7dea4d5e338a9d369968f6697e
Branches Tags
drygdryg:master
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64

No commits in common. "67e1aee8a81d710409864a6a555a3effea1707e2" and "e5e53db6b800bc7dea4d5e338a9d369968f6697e" have entirely different histories.
67e1aee8a8 ... e5e53db6b8

5 changed files with 103 additions and 114 deletions
Show Stats Expand all files Collapse all files

1
docs/changes.txt
View File

@ -477,4 +477,3 @@ v70.6
nfqws: detect Discord Voice IP discovery packets nfqws: detect Discord Voice IP discovery packets
nfqws: detect STUN message packets nfqws: detect STUN message packets
nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni> nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
init.d: remove 50-discord

6
docs/compile/build_howto_openwrt.txt
View File

@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
examples : examples :
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64 cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64 cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
3) Install required libs 3) Install required libs
@ -48,7 +48,7 @@ static build : make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
executables only : build_dir/target/<progname> executables only : build_dir/target/<progname>
ipk or apk packages : bin/packages/*/base ipk or apk packages : bin/packages/*/base
8) Installing to openwrt to use with zapret 8) Installating to openwrt to use with zapret
zapret with or without binaries should be already installed in /opt/zapret. zapret with or without binaries should be already installed in /opt/zapret.
Install ipk's or apk's with all compiled progs using opkg or apk. Install ipk's or apk's with all compiled progs using opkg or apk.

75
init.d/custom.d.examples.linux/50-discord Normal file
View File

File diff suppressed because one or more lines are too long

74
init.d/custom.d.examples.linux/50-nfqws-ipset
View File

@ -1,74 +0,0 @@
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
# can override in config :
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
alloc_dnum DNUM_NFQWS_MY1
alloc_qnum QNUM_NFQWS_MY1
NFQWS_MY1_SET_NAME=my1nfqws4
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
}
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f
local first_packets_only="$ipt_connbytes 1:3"
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
local subnet
local DISABLE_IPV6=1
[ "$1" = 1 ] && {
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
ipset flush $NFQWS_MY1_SET_NAME
for subnet in $NFQWS_MY1_SUBNETS; do
echo add $NFQWS_MY1_SET_NAME $subnet
done | ipset -! restore
}
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
[ "$1" = 1 ] || {
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
}
}
zapret_custom_firewall_nft()
{
# stop logic is not required
local f
local first_packets_only="$nft_connbytes 1-3"
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
local subnets
local DISABLE_IPV6=1
make_comma_list subnets $NFQWS_MY1_SUBNETS
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
nft_flush_set $NFQWS_MY1_SET_NAME
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
f="udp dport {$NFQWS_MY1_PORTS}"
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
}
zapret_custom_firewall_nft_flush()
{
# this function is called after all nft fw rules are deleted
# however sets are not deleted. it's desired to clear sets here.
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
}

61
nfq/nfqws.c
View File

@ -1067,20 +1067,11 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
{ {
size_t slen_new = strlen(fake_tls_sni); size_t slen_new = strlen(fake_tls_sni);
ssize_t slen_delta = slen_new-slen; ssize_t slen_delta = slen_new-slen;
char *s1=NULL;
if (params.debug)
{
if ((s1 = malloc(slen+1)))
{
memcpy(s1,sni,slen); s1[slen]=0;
}
}
if (slen_delta) if (slen_delta)
{ {
if ((*fake_tls_size+slen_delta)>fake_tls_buf_size) if ((*fake_tls_size+slen_delta)>fake_tls_buf_size)
{ {
DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n); DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n);
free(s1);
return false; return false;
} }
memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen)); memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen));
@ -1093,9 +1084,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
*fake_tls_size+=slen_delta; *fake_tls_size+=slen_delta;
slen = slen_new; slen = slen_new;
} }
DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, fake_tls_sni, slen_delta); DLOG("profile %d fake[%d] change sni to %s size_delta=%zd\n", profile_n, fake_n, fake_tls_sni,slen_delta);
free(s1);
memcpy(sni,fake_tls_sni,slen_new); memcpy(sni,fake_tls_sni,slen_new);
} }
if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI) if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
@ -1136,35 +1125,35 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
} }
} }
} }
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP) }
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
{
if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
{ {
if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false)) if ((ext-fake_tls+extlen)!=*fake_tls_size)
{ {
if ((ext-fake_tls+extlen)!=*fake_tls_size) DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
{ return false;
DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
return false;
}
modcache->padlen_offset = ext-fake_tls-2;
DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
} }
else modcache->padlen_offset = ext-fake_tls-2;
DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
}
else
{
if ((*fake_tls_size+4)>fake_tls_buf_size)
{ {
if ((*fake_tls_size+4)>fake_tls_buf_size) DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
{ return false;
DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
return false;
}
phton16(fake_tls+*fake_tls_size,21);
*fake_tls_size+=2;
modcache->padlen_offset=*fake_tls_size;
phton16(fake_tls+*fake_tls_size,0);
*fake_tls_size+=2;
phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
} }
phton16(fake_tls+*fake_tls_size,21);
*fake_tls_size+=2;
modcache->padlen_offset=*fake_tls_size;
phton16(fake_tls+*fake_tls_size,0);
*fake_tls_size+=2;
phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
} }
} }
return true; return true;